SYMBOLCOMMON_NAMEaka. SYNONYMS
win.latentbot (Back to overview)

LatentBot


FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.

Using Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which they named LATENTBOT – caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.

References
2017-06-08MalwarebytesMalwarebytes
@online{malwarebytes:20170608:latentbot:9f46488, author = {Malwarebytes}, title = {{LatentBot piece by piece}}, date = {2017-06-08}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/}, language = {English}, urldate = {2019-11-16} } LatentBot piece by piece
LatentBot
2017-04-25Malware Traffic AnalysisBrian Duncan
@online{duncan:20170425:20170425:dfd0f09, author = {Brian Duncan}, title = {{2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT}}, date = {2017-04-25}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/25/index.html}, language = {English}, urldate = {2019-11-29} } 2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT
LatentBot
2016-05-12CERT.PLKamil Frankowicz
@online{frankowicz:20160512:latentbot:9506f35, author = {Kamil Frankowicz}, title = {{LatentBot – modularny i silnie zaciemniony bot}}, date = {2016-05-12}, organization = {CERT.PL}, url = {https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/}, language = {Polish}, urldate = {2019-12-18} } LatentBot – modularny i silnie zaciemniony bot
LatentBot
2015-12-11FireEyeDaniel Regalado, Taha Karim
@online{regalado:20151211:latentbot:76a6ff3, author = {Daniel Regalado and Taha Karim}, title = {{LATENTBOT: Trace Me If You Can}}, date = {2015-12-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html}, language = {English}, urldate = {2019-12-20} } LATENTBOT: Trace Me If You Can
LatentBot
2015-11-02CyS CentrumCyS Centrum Incident Response Team
@online{team:20151102:modular:7726996, author = {CyS Centrum Incident Response Team}, title = {{Modular trojan for hidden access to a computer}}, date = {2015-11-02}, organization = {CyS Centrum}, url = {https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access}, language = {Russian}, urldate = {2020-01-08} } Modular trojan for hidden access to a computer
LatentBot
Yara Rules
[TLP:WHITE] win_latentbot_auto (20221125 | Detects win.latentbot.)
rule win_latentbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.latentbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7ce5 297d58 8bcf d36d50 89454c }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   7ce5                 | jl                  0xffffffe7
            //   297d58               | sub                 dword ptr [ebp + 0x58], edi
            //   8bcf                 | mov                 ecx, edi
            //   d36d50               | shr                 dword ptr [ebp + 0x50], cl
            //   89454c               | mov                 dword ptr [ebp + 0x4c], eax

        $sequence_1 = { 8938 5f 83c004 5d 83c408 c3 }
            // n = 6, score = 100
            //   8938                 | mov                 dword ptr [eax], edi
            //   5f                   | pop                 edi
            //   83c004               | add                 eax, 4
            //   5d                   | pop                 ebp
            //   83c408               | add                 esp, 8
            //   c3                   | ret                 

        $sequence_2 = { 8901 8b4108 894104 8bc6 c1e80b 33c2 c1e808 }
            // n = 7, score = 100
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b4108               | mov                 eax, dword ptr [ecx + 8]
            //   894104               | mov                 dword ptr [ecx + 4], eax
            //   8bc6                 | mov                 eax, esi
            //   c1e80b               | shr                 eax, 0xb
            //   33c2                 | xor                 eax, edx
            //   c1e808               | shr                 eax, 8

        $sequence_3 = { 51 6aff ffd2 33c0 }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   6aff                 | push                -1
            //   ffd2                 | call                edx
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 56 8b74240c 57 8b7c240c 57 e8???????? 59 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8b74240c             | mov                 esi, dword ptr [esp + 0xc]
            //   57                   | push                edi
            //   8b7c240c             | mov                 edi, dword ptr [esp + 0xc]
            //   57                   | push                edi
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_5 = { 0f840b010000 833d????????06 be8c000000 7303 83c6fc ff55f8 3bc3 }
            // n = 7, score = 100
            //   0f840b010000         | je                  0x111
            //   833d????????06       |                     
            //   be8c000000           | mov                 esi, 0x8c
            //   7303                 | jae                 5
            //   83c6fc               | add                 esi, -4
            //   ff55f8               | call                dword ptr [ebp - 8]
            //   3bc3                 | cmp                 eax, ebx

        $sequence_6 = { 83c108 894d58 094550 3b4d34 72ce 8b7d34 297d58 }
            // n = 7, score = 100
            //   83c108               | add                 ecx, 8
            //   894d58               | mov                 dword ptr [ebp + 0x58], ecx
            //   094550               | or                  dword ptr [ebp + 0x50], eax
            //   3b4d34               | cmp                 ecx, dword ptr [ebp + 0x34]
            //   72ce                 | jb                  0xffffffd0
            //   8b7d34               | mov                 edi, dword ptr [ebp + 0x34]
            //   297d58               | sub                 dword ptr [ebp + 0x58], edi

        $sequence_7 = { c7410400000000 897114 89791c c7411028000000 c7410800000000 8bd0 c1ea03 }
            // n = 7, score = 100
            //   c7410400000000       | mov                 dword ptr [ecx + 4], 0
            //   897114               | mov                 dword ptr [ecx + 0x14], esi
            //   89791c               | mov                 dword ptr [ecx + 0x1c], edi
            //   c7411028000000       | mov                 dword ptr [ecx + 0x10], 0x28
            //   c7410800000000       | mov                 dword ptr [ecx + 8], 0
            //   8bd0                 | mov                 edx, eax
            //   c1ea03               | shr                 edx, 3

        $sequence_8 = { 894804 8d45f4 50 6a00 ff750c ffd3 }
            // n = 6, score = 100
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ffd3                 | call                ebx

        $sequence_9 = { 8d5ee4 8b03 0fb7c8 250000ffff 897e04 8bd0 85c9 }
            // n = 7, score = 100
            //   8d5ee4               | lea                 ebx, [esi - 0x1c]
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   0fb7c8               | movzx               ecx, ax
            //   250000ffff           | and                 eax, 0xffff0000
            //   897e04               | mov                 dword ptr [esi + 4], edi
            //   8bd0                 | mov                 edx, eax
            //   85c9                 | test                ecx, ecx

    condition:
        7 of them and filesize < 401408
}
Download all Yara Rules