LATENTBOT

LATENTBOT is a backdoor Trojan designed with an emphasis on stealth while still including features useful for facilitating a flexible range of attacks against most PCs. Despite its multi-year history of being active in campaigns against various industries, LATENTBOT has evaded extensive analysis successfully until recently, and most anti-malware products will identify it as a generic Trojan through heuristic means. Removing LATENTBOT should be done through anti-malware solutions capable of combating high-level threats, and malware analysts warn that you shouldn't expect visible symptoms from LATENTBOT infections in the meantime.

The Trojan No One Saw Coming Until Now

Although many Trojans make efforts at hiding themselves from both their victims and PC security companies, few have been as successful at those efforts as LATENTBOT, a Trojan that malware analysts believe may have been in operation since 2013. These indiscriminate campaigns have targeted nations from South Korea to Peru, with financial and insurance companies serving as preferred victims. Many LATENTBOT attacks also may be associated with the LuminosityLink RAT, a Remote Access Tool. This RAT gives third parties a second, semi-redundant level of control over the victim's PC, which could allow attacks to continue even if you remove LATENTBOT.

LATENTBOT and its companion RAT tend to use e-mail distribution methods. Their droppers format themselves as text documents and are dependent on old Microsoft Word vulnerabilities for triggering themselves. LATENTBOT's installation is a convoluted process involving multiple steps of memory injection and Shellcode loaders, along with heavy string encryption, to hide the attack from PC security solutions. Afterward, LATENTBOT may initiate attacks through any of several modules, with significant features including:

• LATENTBOT may use the Pony Steal plugin to compromise bank accounts or Bitcoin wallets.
• LATENTBOT may use a VNC plugin to monitor your PC passively, allowing third parties to observe it and collect any visible information.
• Some ransomware-reminiscent features also are included in LATENTBOT, which could let it lock your desktop, block your ability to launch other programs or display fake ransom messages demanding money.

In addition to all of the above, LATENTBOT may even wipe your hard drive, a feature more common to high-end industrial spyware than to most backdoor Trojans. Most of these features implement themselves through separate, optional modules, a trait that LATENTBOT shares with the LuminosityLink RAT. Further updates could increase the capabilities of either of these threats relatively easily.

A Hard Solution to a Latent Windows Problem

LATENTBOT may install itself on modern versions of Windows and take explicit steps for avoiding a full installation on old Windows versions (such as Vista) or non-Windows OSes. However, PC users working within those prerequisites may be attacked without any apparent focus on individual business sectors or geographical regions. Much like LATENTBOT, many of this backdoor Trojan's individual modules also lack well-developed definitions among PC security companies. Consequentially, malware analysts recommend especially using strictly up-to-date and, if necessary, redundant, overlapping anti-malware solutions for identifying LATENTBOT infections. Victims also should stay aware of the likely presence of other threats, such as Pony Stealer or LuminosityLink.

However, hardship from LATENTBOT also requires the PC owner making the mistake of opening a corrupted e-mail attachment. Besides scanning possible threat installers before taking the risk of opening them, malware analysts also can recommend updating Microsoft Office products, which will reduce the availability of embedded vulnerabilities for threat attacks. However, equally important is simply staying informed about the common formats of e-mail hoaxes used for infiltrating private companies, NGOs and government agencies.