I read about a new kind of malware called Latentbot, which has multiple layers of code obfuscation that makes it...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
extremely difficult to find and determine how it works. How does this malware work, what are the layers of code obfuscation it uses and how can security vendors stop it?
FireEye recently posted a blog on Latentbot, which has many advanced capabilities to hide its operations. The Latentbot malware has info-stealing capabilities, and it can even steal bitcoins. The Latentbot malware starts with a phishing email that includes a malicious Word attachment. Once the malicious Word file is opened, it connects to a command and control server to download the next piece of malware, the LuminosityLink RAT, which is used in the next stage of the attack where the Latentbot malware is in turn downloaded.
FireEye detailed how Latentbot uses a multistep process to run on the system, and includes plug-ins to determine if it is being analyzed by malware researchers or if the endpoint has antimalware tools installed. The Latentbot malware uses multiple layers of code obfuscation to hide its activities during each step in the attack, but it can be detected in memory. By using code obfuscation in each step, it makes Latentbot difficult to find and analyze. It stores encrypted data in the registry to further hide from detection. It includes a virtual network computing (VNC) function that also has the bot software, infostealer and security checks. It uses VNC because VNC allows a remote viewer to view what is on the screen of the targeted system without notifying the user they are being monitored.
Enterprises can protect their systems by using the same steps as for protecting their systems from other fileless malware, including protecting their systems from phishing attacks and monitoring executables' behavior for suspicious activity, such as making unauthorized external connections and downloads.
Learn how HTML5 is used in a malware obfuscation technique
Read how attackers are using steganography to hide their malware
Find out how to stop remote access Trojan GlassRAT
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.