Nmedia - Fotolia
I read about a new kind of malware called Latentbot, which has multiple layers of code obfuscation that makes it extremely difficult to find and determine how it works. How does this malware work, what are the layers of code obfuscation it uses and how can security vendors stop it?
FireEye recently posted a blog on Latentbot, which has many advanced capabilities to hide its operations. The Latentbot malware has info-stealing capabilities, and it can even steal bitcoins. The Latentbot malware starts with a phishing email that includes a malicious Word attachment. Once the malicious Word file is opened, it connects to a command and control server to download the next piece of malware, the LuminosityLink RAT, which is used in the next stage of the attack where the Latentbot malware is in turn downloaded.
FireEye detailed how Latentbot uses a multistep process to run on the system, and includes plug-ins to determine if it is being analyzed by malware researchers or if the endpoint has antimalware tools installed. The Latentbot malware uses multiple layers of code obfuscation to hide its activities during each step in the attack, but it can be detected in memory. By using code obfuscation in each step, it makes Latentbot difficult to find and analyze. It stores encrypted data in the registry to further hide from detection. It includes a virtual network computing (VNC) function that also has the bot software, infostealer and security checks. It uses VNC because VNC allows a remote viewer to view what is on the screen of the targeted system without notifying the user they are being monitored.
Enterprises can protect their systems by using the same steps as for protecting their systems from other fileless malware, including protecting their systems from phishing attacks and monitoring executables' behavior for suspicious activity, such as making unauthorized external connections and downloads.
Learn how HTML5 is used in a malware obfuscation technique
Read how attackers are using steganography to hide their malware
Find out how to stop remote access Trojan GlassRAT
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading
Cloud security providers need to play catch-up with the evolving advancements in cloud technology. Find out what the top CSPs offer today and which ... Continue Reading
Cloud security certifications serve to bolster security professionals' resumes and boost value to employers. Learn about the top certifications ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.