Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Stealthy Backdoor Compromised Global Organizations Since 2013: FireEye

FireEye on Friday shared details on a recently discovered, highly obfuscated bot that has compromised companies around the world and remained largely undetected by anti-malware solutions since 2013.

FireEye on Friday shared details on a recently discovered, highly obfuscated bot that has compromised companies around the world and remained largely undetected by anti-malware solutions since 2013.

The malicious backdoor, called LATENTBOT by FireEye, has successfully compromised companies in the US, UK, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland in 2015. 

“It has managed to leave barely any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless,” FireEye researchers Taha Karim and Daniel Regalado wrote in a report.

The security firm said it has observed multiple campaigns targeting multiple industries, but primarily in the financial services and insurance sectors.

One of the most heavily obfuscated backdoors FireEye Labs has found, LATENTBOT has a 6 stage obfuscation process, and, in addition to operating completely in memory, has the ability to scan for cryptocurrency wallets via Pony stealer 2.0 malware plugin.

LATENTBOT implements multiple, new layers of obfuscation, a unique exfiltration mechanism, and has been successful at infecting multiple organizations, FireEye said.

In an effort to remain undetected, the developers behind LATENBOT designed it to only keep malicious code in memory for the short time needed to compromise a system.

“Most of the encoded data is found either in the program resources or in the registry,” the researchers explained. “A custom encryption algorithm is shared across the different components, including in encrypting its command and control (C2) communications. Due to this, its family binaries have a low AV detection rate and are detected with a generic name such as Trojan.Generic:.

Advertisement. Scroll to continue reading.

According to FireEye, LATENBOT is not targeted in nature, but it is selective in the versions of Windows systems it infects, noting that the threat won’t run in Windows Vista or Server 2008. Additionally, if the malware is running on a laptop, it will query the battery status via GetSystemPowerStatus and call SetThreadExecutionState try to prevent the system from sleeping or turning the display off if the battery is low.

Based on similar samples found in the wild and passive DNS information, FireEye believes that that LATENTBOT was created around mid-2013, and uses compromised web servers as C2 infrastructure.

The attackers behind the campaigns have been using the tried-and-true method of leveraging malicious emails containing an old word exploit created with Microsoft Word Intruder (MWI), a well-known exploit kit. When the poisoned word document is opened, malicious code embedded in the file executes and connects to a MWISTAT server, which allows operators to track attack campaigns, and a C2 server to get a second stage binary download, which turned out to be LuminosityLink, a RAT that has the ability to steal passwords, record keystrokes, transfer files and enable attached microphones or webcams.

“Since the running LuminosityLink is a RAT that offers multiple capabilities to fully control the infected box, it is surprising that another payload is being downloaded from a secondary C2 at emenike[.]no-ip.info (180.74.89.183),” FireEye detailed. That new module is LATENTBOT.

Core features of LATENTBOT include:

• Malicious code is highly obfuscated and only present in memory in a short period of time

• Hiding applications in a different Desktop

• MBR wiping ability

• Ransomlock similarities being able to lock the Desktop

• Hidden VNC Connection

• Modular design, allowing easy updates on victim machines

• Stealth: Callback Traffic, APIs, Registry keys and any other indicators are decrypted dynamically

• Drops Pony malware as a module to act as infostealer

Full details on the six stage process and various plug-ins are available from FireyEye, along with MD5 hashes of LATENBOT samples and IPs/Domains of various C2 servers.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.