I read about a new kind of malware called Latentbot, which has multiple layers of code obfuscation that makes it...
extremely difficult to find and determine how it works. How does this malware work, what are the layers of code obfuscation it uses and how can security vendors stop it?
FireEye recently posted a blog on Latentbot, which has many advanced capabilities to hide its operations. The Latentbot malware has info-stealing capabilities, and it can even steal bitcoins. The Latentbot malware starts with a phishing email that includes a malicious Word attachment. Once the malicious Word file is opened, it connects to a command and control server to download the next piece of malware, the LuminosityLink RAT, which is used in the next stage of the attack where the Latentbot malware is in turn downloaded.
FireEye detailed how Latentbot uses a multistep process to run on the system, and includes plug-ins to determine if it is being analyzed by malware researchers or if the endpoint has antimalware tools installed. The Latentbot malware uses multiple layers of code obfuscation to hide its activities during each step in the attack, but it can be detected in memory. By using code obfuscation in each step, it makes Latentbot difficult to find and analyze. It stores encrypted data in the registry to further hide from detection. It includes a virtual network computing (VNC) function that also has the bot software, infostealer and security checks. It uses VNC because VNC allows a remote viewer to view what is on the screen of the targeted system without notifying the user they are being monitored.
Enterprises can protect their systems by using the same steps as for protecting their systems from other fileless malware, including protecting their systems from phishing attacks and monitoring executables' behavior for suspicious activity, such as making unauthorized external connections and downloads.
Learn how HTML5 is used in a malware obfuscation technique
Read how attackers are using steganography to hide their malware
Find out how to stop remote access Trojan GlassRAT
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.