A highly sophisticated and stealth command-and-control BOTNET is circulating which is designed to hide on client workstations.  It is designed ultimately to steal credentials or financial information.  


FireEye Labs recently uncovered LATENTBOT, a new, highly obfuscated BOT that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.

We have observed multiple campaigns targeting the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which we named LATENTBOT – caught our attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.

Some of the main features of LATENTBOT are listed below:

 a)    Multiple layers of obfuscation
 b)    Decrypted strings in memory are removed after being used
 c)    Hiding applications in a different desktop
 d)    MBR wiping ability
 e)    Ransomlock similarities such as being able to lock the desktop
 f)    Hidden VNC Connection
 g)    Modular design, allowing easy updates on victim machines
 h)    Stealth: Callback Traffic, APIs, Registry keys and any other indicators are decrypted dynamically
 i)    Drops Pony malware as a module to act as infostealer

LATENTBOT Overview —  Stealth being one of its traits, LATENTBOT will only keep malicious code in memory for the short time that is needed. Most of the encoded data is found either in the program resources or in the registry. A custom encryption algorithm is shared across the different components, including in encrypting its command and control (CnC) communications.