LightBot

LightBot is a backdoor Trojan and spyware that collects system information for determining whether hackers should continue with further attacks, such as locking files with threats like Ryuk Ransomware or collecting other information. LightBot can extend its capabilities through downloadable scripts and performs its functions with few to no symptoms for the PC's ordinary users. Professional anti-malware services should immediately remove LightBot, and users should watch for typical infection methods like fake e-mail attachments.

A Light Passing Tap that Leads into Heavier Blows

The developers of Trojan.TrickBot, a well-known banking Trojan et spyware, continues keeping pace with the cyber-security industry's counterattacks, with semi-regular reworks of their business models and threat deployment methods. Besides collecting information, this threat actor may sabotage files and hold them for ransom and is notorious for picking valuable targets like entities in the US healthcare sector. One of their newly-found tools, LightBot, may or may not be a replacement to BazarBackdoor.

In recent attacks, as of November 2020, LightBot replaces BazarBackdoor's loading component, BazarLoader, in infection vectors. The strategies for infecting targets are the same: tricking workers into opening Google cloud documents through e-mail links, with disguises like detailed fake HR complaints or termination notifications. An equally-fake 'failed preview' stage leads into the download or either BazarLoader or LightBot, with persistent for loading future attacks from the hackers.

Malware researchers haven't analyzed all of LightBot's components and can't confirm a fully-functional backdoor feature that would let attackers remotely control the PC by default. However, LightBot collects various types of system data through PowerShell scripts, may update itself with additional downloads, and includes an apparent persistence mechanism. So far, LightBot's purpose seems as an analysis tool for whether the target system is worthwhile for future attacks, such as dropping Ryuk Ransomware and sabotaging files, or Trojan.TrickBot and collecting bank account credentials.

The Searing Afterimage of a Little LightBot

Although the cyber-security industry is combating Trojan.TrickBot's dev team, through coordinated disruption of C&C infrastructure actively, updates like LightBot demonstrate the threat actor's long-term prioritization of adjusting to these environmental 'workplace hazards.' Currently, LightBot exfiltrates relatively limited data, such as hardware information and installed program lists, instead of targeting lucrative passwords or other content, which the attackers leave to more advanced tools. However, its presence indicates high chances of more severe future attacks.

Workers in vulnerable industries should have adequate training on e-mail phishing lure recognition, which makes up the only known infection vectors for LightBot, so far. LightBot installation exploits may hide as Coronavirus guidelines, communications from fellow employees, or customer complaints. Malware experts see these infection methods using Web pages imitating documents with loading errors that trigger the drive-by-downloads in most scenarios.

The consequences of untended LightBot infections can be severe. LightBot's threat actor is known for deploying file-locker Trojans like the Ryuk Ransomware and the Conti Ransomware, which can block the digital media contents of businesses' servers and networks. These operations also may involve collecting passwords or hijacking bank accounts via Trojan.TrickBot. Anti-malware services should remove LightBot as soon as possible, and infected systems should receive comprehensive threat scans. Users also should change affected credentials like passwords.

LightBot is a subtle piece of software engineering from a group of hackers who have more 'skin in the game' than most for-profit operations. Other than a new scheduled task, it leaves few fingerprints behind for victims, meaning that preventing infections is even more critical than usual.