I read about a new kind of malware called Latentbot, which has multiple layers of code obfuscation that makes it...
extremely difficult to find and determine how it works. How does this malware work, what are the layers of code obfuscation it uses and how can security vendors stop it?
FireEye recently posted a blog on Latentbot, which has many advanced capabilities to hide its operations. The Latentbot malware has info-stealing capabilities, and it can even steal bitcoins. The Latentbot malware starts with a phishing email that includes a malicious Word attachment. Once the malicious Word file is opened, it connects to a command and control server to download the next piece of malware, the LuminosityLink RAT, which is used in the next stage of the attack where the Latentbot malware is in turn downloaded.
FireEye detailed how Latentbot uses a multistep process to run on the system, and includes plug-ins to determine if it is being analyzed by malware researchers or if the endpoint has antimalware tools installed. The Latentbot malware uses multiple layers of code obfuscation to hide its activities during each step in the attack, but it can be detected in memory. By using code obfuscation in each step, it makes Latentbot difficult to find and analyze. It stores encrypted data in the registry to further hide from detection. It includes a virtual network computing (VNC) function that also has the bot software, infostealer and security checks. It uses VNC because VNC allows a remote viewer to view what is on the screen of the targeted system without notifying the user they are being monitored.
Enterprises can protect their systems by using the same steps as for protecting their systems from other fileless malware, including protecting their systems from phishing attacks and monitoring executables' behavior for suspicious activity, such as making unauthorized external connections and downloads.
Learn how HTML5 is used in a malware obfuscation technique
Read how attackers are using steganography to hide their malware
Find out how to stop remote access Trojan GlassRAT
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can ... Continue Reading
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.