Nmedia - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does Latentbot use obfuscation in its attacks?

Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing email, and how to stop it.

I read about a new kind of malware called Latentbot, which has multiple layers of code obfuscation that makes it extremely difficult to find and determine how it works. How does this malware work, what are the layers of code obfuscation it uses and how can security vendors stop it?

FireEye recently posted a blog on Latentbot, which has many advanced capabilities to hide its operations. The Latentbot malware has info-stealing capabilities, and it can even steal bitcoins. The Latentbot malware starts with a phishing email that includes a malicious Word attachment. Once the malicious Word file is opened, it connects to a command and control server to download the next piece of malware, the LuminosityLink RAT, which is used in the next stage of the attack where the Latentbot malware is in turn downloaded.

FireEye detailed how Latentbot uses a multistep process to run on the system, and includes plug-ins to determine if it is being analyzed by malware researchers or if the endpoint has antimalware tools installed. The Latentbot malware uses multiple layers of code obfuscation to hide its activities during each step in the attack, but it can be detected in memory. By using code obfuscation in each step, it makes Latentbot difficult to find and analyze. It stores encrypted data in the registry to further hide from detection. It includes a virtual network computing (VNC) function that also has the bot software, infostealer and security checks. It uses VNC because VNC allows a remote viewer to view what is on the screen of the targeted system without notifying the user they are being monitored.

Enterprises can protect their systems by using the same steps as for protecting their systems from other fileless malware, including protecting their systems from phishing attacks and monitoring executables' behavior for suspicious activity, such as making unauthorized external connections and downloads.

Next Steps

Learn how HTML5 is used in a malware obfuscation technique

Read how attackers are using steganography to hide their malware

Find out how to stop remote access Trojan GlassRAT

This was last published in May 2016

Dig Deeper on Email and Messaging Threats-Information Security Threats