According to researchers from security firm FireEye, a new strain of malware called LATENTBOT has been discovered on machines across the U.S., U.K., South Korea, Brazil and Poland this year. The backdoor virus gives attackers access to virtually anything they want on a network and is nearly impossible to detect. In fact, the bot’s obfuscation is so good that it’s been lurking around corporate machines for the better part of two years. Here’s a quick rundown.
Right Under Your Nose
As reported by SecurityWeek, LATENTBOT is focused on remaining undetected and has largely succeeded; some of its earliest infections data back to 2013. This is the Holy Grail for malware-makers: the ability to craft code that even up-to-date, real-time antivirus solutions can’t detect, much less eliminate. The new backdoor is designed to leave “barely any traces on the Internet, is capable of watching its victims without ever being noticed and can even corrupt a hard disk, thus making a PC useless.”
It achieves this goal through a six-stage obfuscation process and by operating purely in memory on an infected system. It also has the ability to scan for cryptocurrency wallets using the Pony Stealer 2.0 malware plugin. The malware regularly implements new layers of obfuscation to keep antivirus solutions and IT professionals unaware of its presence.
While the malware isn’t targeted, it will avoid certain versions of Windows such as Vista or Server 2008. Once systems are infected, the code only stays in memory long enough to cause havoc, which may include:
- Hiding desktop applications;
- MBR wiping;
- Ransom-locking the desktop;
- Stealing information via Pony malware.
Despite the sophistication of LATENTBOT malware, however, attackers still rely on infected emails to carry their payload. Their weapon of choice is an infected Word document that uses the well-known Microsoft Word Intruder (MWI) to contact a MWISTAT server and give cybercriminals total access.
Common Problems With a Backdoor Virus?
According to The Straits Times, hidden malware is also making its way onto mobile devices: The Association of Banks in Singapore (ABS) is warning Android users to watch out for what appears to be a WhatsApp update but in fact carries a malware payload that attempts to grab user credit card data. It does so by intercepting the one-time password (OTP) sent by banks via SMS so users can access their accounts online. Much like LATENTBOT, this malware hides in plain sight — luckily, however, its history isn’t quite as long.
The New Threatscape
Brute force is passé. Obvious, high-volume attacks simply don’t have the same results they once did, so malware-makers have turned a corner. Simple yet sophisticated, lightweight apps are the new threatscape: They get in without being noticed, grab what they want and disappear.
It’s a wake-up call for companies. What’s happening on corporate networks is much more relevant than what’s installed — behavior, far more than bad code, is the hallmark of this new backdoor virus and other emerging risks.