Stealthy Backdoor Compromised Global Organizations Since 2013: FireEye

FireEye on Friday shared details on a recently discovered, highly obfuscated bot that has compromised companies around the world and remained largely undetected by anti-malware solutions since 2013.

The malicious backdoor, called LATENTBOT by FireEye, has successfully compromised companies in the US, UK, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland in 2015. 

“It has managed to leave barely any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless,” FireEye researchers Taha Karim and Daniel Regalado wrote in a report.

The security firm said it has observed multiple campaigns targeting multiple industries, but primarily in the financial services and insurance sectors.

One of the most heavily obfuscated backdoors FireEye Labs has found, LATENTBOT has a 6 stage obfuscation process, and, in addition to operating completely in memory, has the ability to scan for cryptocurrency wallets via Pony stealer 2.0 malware plugin.

LATENTBOT implements multiple, new layers of obfuscation, a unique exfiltration mechanism, and has been successful at infecting multiple organizations, FireEye said.

In an effort to remain undetected, the developers behind LATENBOT designed it to only keep malicious code in memory for the short time needed to compromise a system.

“Most of the encoded data is found either in the program resources or in the registry,” the researchers explained. “A custom encryption algorithm is shared across the different components, including in encrypting its command and control (C2) communications. Due to this, its family binaries have a low AV detection rate and are detected with a generic name such as Trojan.Generic:.”

According to FireEye, LATENBOT is not targeted in nature, but it is selective in the versions of Windows systems it infects, noting that the threat won’t run in Windows Vista or Server 2008. Additionally, if the malware is running on a laptop, it will query the battery status via GetSystemPowerStatus and call SetThreadExecutionState try to prevent the system from sleeping or turning the display off if the battery is low.

Based on similar samples found in the wild and passive DNS information, FireEye believes that that LATENTBOT was created around mid-2013, and uses compromised web servers as C2 infrastructure.

The attackers behind the campaigns have been using the tried-and-true method of leveraging malicious emails containing an old word exploit created with Microsoft Word Intruder (MWI), a well-known exploit kit. When the poisoned word document is opened, malicious code embedded in the file executes and connects to a MWISTAT server, which allows operators to track attack campaigns, and a C2 server to get a second stage binary download, which turned out to be LuminosityLink, a RAT that has the ability to steal passwords, record keystrokes, transfer files and enable attached microphones or webcams.

“Since the running LuminosityLink is a RAT that offers multiple capabilities to fully control the infected box, it is surprising that another payload is being downloaded from a secondary C2 at emenike[.]no-ip.info (180.74.89.183),” FireEye detailed. That new module is LATENTBOT.

Core features of LATENTBOT include:

• Malicious code is highly obfuscated and only present in memory in a short period of time

• Hiding applications in a different Desktop

• MBR wiping ability

• Ransomlock similarities being able to lock the Desktop

• Hidden VNC Connection

• Modular design, allowing easy updates on victim machines

• Stealth: Callback Traffic, APIs, Registry keys and any other indicators are decrypted dynamically

• Drops Pony malware as a module to act as infostealer

Full details on the six stage process and various plug-ins are available from FireyEye, along with MD5 hashes of LATENBOT samples and IPs/Domains of various C2 servers.