Connect with us

Hi, what are you looking for?


Malware & Threats

Stealthy Backdoor Compromised Global Organizations Since 2013: FireEye

FireEye on Friday shared details on a recently discovered, highly obfuscated bot that has compromised companies around the world and remained largely undetected by anti-malware solutions since 2013.

FireEye on Friday shared details on a recently discovered, highly obfuscated bot that has compromised companies around the world and remained largely undetected by anti-malware solutions since 2013.

The malicious backdoor, called LATENTBOT by FireEye, has successfully compromised companies in the US, UK, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland in 2015. 

“It has managed to leave barely any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless,” FireEye researchers Taha Karim and Daniel Regalado wrote in a report.

The security firm said it has observed multiple campaigns targeting multiple industries, but primarily in the financial services and insurance sectors.

One of the most heavily obfuscated backdoors FireEye Labs has found, LATENTBOT has a 6 stage obfuscation process, and, in addition to operating completely in memory, has the ability to scan for cryptocurrency wallets via Pony stealer 2.0 malware plugin.

LATENTBOT implements multiple, new layers of obfuscation, a unique exfiltration mechanism, and has been successful at infecting multiple organizations, FireEye said.

In an effort to remain undetected, the developers behind LATENBOT designed it to only keep malicious code in memory for the short time needed to compromise a system.

Advertisement. Scroll to continue reading.

“Most of the encoded data is found either in the program resources or in the registry,” the researchers explained. “A custom encryption algorithm is shared across the different components, including in encrypting its command and control (C2) communications. Due to this, its family binaries have a low AV detection rate and are detected with a generic name such as Trojan.Generic:.

According to FireEye, LATENBOT is not targeted in nature, but it is selective in the versions of Windows systems it infects, noting that the threat won’t run in Windows Vista or Server 2008. Additionally, if the malware is running on a laptop, it will query the battery status via GetSystemPowerStatus and call SetThreadExecutionState try to prevent the system from sleeping or turning the display off if the battery is low.

Based on similar samples found in the wild and passive DNS information, FireEye believes that that LATENTBOT was created around mid-2013, and uses compromised web servers as C2 infrastructure.

The attackers behind the campaigns have been using the tried-and-true method of leveraging malicious emails containing an old word exploit created with Microsoft Word Intruder (MWI), a well-known exploit kit. When the poisoned word document is opened, malicious code embedded in the file executes and connects to a MWISTAT server, which allows operators to track attack campaigns, and a C2 server to get a second stage binary download, which turned out to be LuminosityLink, a RAT that has the ability to steal passwords, record keystrokes, transfer files and enable attached microphones or webcams.

“Since the running LuminosityLink is a RAT that offers multiple capabilities to fully control the infected box, it is surprising that another payload is being downloaded from a secondary C2 at emenike[.] (,” FireEye detailed. That new module is LATENTBOT.

Core features of LATENTBOT include:

• Malicious code is highly obfuscated and only present in memory in a short period of time

• Hiding applications in a different Desktop

• MBR wiping ability

• Ransomlock similarities being able to lock the Desktop

• Hidden VNC Connection

• Modular design, allowing easy updates on victim machines

• Stealth: Callback Traffic, APIs, Registry keys and any other indicators are decrypted dynamically

• Drops Pony malware as a module to act as infostealer

Full details on the six stage process and various plug-ins are available from FireyEye, along with MD5 hashes of LATENBOT samples and IPs/Domains of various C2 servers.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...