LATENTBOT: Trace Me If You Can

FireEye Labs recently uncovered LATENTBOT, a new, highly obfuscated
BOT that has been in the wild since mid-2013. It has managed to leave
hardly any traces on the Internet, is capable of watching its victims
without ever being noticed, and can even corrupt a hard disk, thus
making a PC useless.

Through our Dynamic Threat Intelligence (DTI), we have observed
multiple campaigns targeting multiple industries in the United States,
United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore,
Canada, Peru and Poland – primarily in the financial services and
insurance sectors. Although the infection strategy is not new, the
final payload dropped – which we named LATENTBOT – caught our
attention since it implements several layers of obfuscation, a unique
exfiltration mechanism, and has been very successful at infecting
multiple organizations.

Some of the main features of LATENTBOT are listed below:

a)    Multiple layers of obfuscation
b)    Decrypted
strings in memory are removed after being used
c)    Hiding
applications in a different desktop
d)    MBR wiping
e)    Ransomlock similarities such as being able to lock
the desktop
f)    Hidden VNC Connection
g)    Modular
design, allowing easy updates on victim machines
h)    Stealth:
Callback Traffic, APIs, Registry keys and any other indicators are
decrypted dynamically
i)    Drops Pony malware as a module to
act as infostealer


Stealth being one of its traits, LATENTBOT will only
keep malicious code in memory for the short time that is needed. Most
of the encoded data is found either in the program resources or in the
registry. A custom encryption algorithm is shared across the different
components, including in encrypting its command and control (CnC)
communications. Due to this, its family binaries are detected with a
generic name such as Trojan.Generic:

LATENTBOT itself is not targeted in nature – it has been
observed in multiple industries – but it is selective in the types of
Windows systems to infect. For example, it won’t run in Windows Vista
or Server 2008. LATENBOT also uses compromised websites as CnC
infrastructure, making infection easier and detection harder.

Based on passive DNS information and similar samples found in
the wild, it is possible that LATENTBOT was created around mid-2013.
Throughout the course of 2015, we observed multiple successful
infection campaigns, as seen in Figure 1.


Figure 1: Targeted Countries and LATENTBOT CnC

Infection Vector

The preliminary steps to infect victims with LATENTBOT
already contains multiple layers of obfuscation as described in Figure
2: Infection Phase.

Figure 2: Infection Phase

Step 1

Malicious emails containing an old Word exploit are
created with the Microsoft Word Intruder[1] (MWI) builder and sent to the victims.

Step 2

When the attached Word document is opened, an embedded
malicious executable runs, beaconing to the MWISTAT Server (see Figure
3) for two main purposes:

1.    Campaign tracking
2.    Second stage binary download


Figure 3: MWI Beacon

During our analysis, the Word
documents downloaded LuminosityLink as the second stage binary.
LuminosityLink is a full-featured RAT that has the ability to steal
passwords, record keystrokes, transfer files and activate attached
microphones or webcams.

Step 3

Since LuminosityLink is a RAT that offers multiple
capabilities to fully control the infected box, it is surprising that
the RAT downloaded another payload from a secondary CnC at
emenike[.] ( This new module is LATENTBOT
which offers new capabilities that will be detailed in this

Dissecting LATENTBOT

The analysis will concentrate on the third stage
LATENTBOT binary lsmm.exe
(af15076a22576f270af0111b93fe6e03) dropped in Step 3 above, but
we are far from the final stage. Another similar binary that was part
of our analysis is aya.exe
(1dd0854a73288e833966fde139ffe385), which performs the same
actions. Let’s take an in-depth look at this interesting piece of

LATENTBOT is an obfuscated .NET binary, which
contains an encoded resource object. This object is the fourth stage
payload that is decoded using the algorithm seen in Figure 4.


Figure 4: XOR routine to decode
embedded resource

The fourth stage payload is also a .NET binary protected and
obfuscated with ConfuserEx
The fourth stage binary will open the .NET
programs: RegAsm.exe and CvTres.exe from
and use process hollowing to replace
them with malicious code in memory.

The CvTres.exe process is replaced with a Visual Basic
UPX-packed binary extracted from the binary’s resources, as seen in
Figure 5.

Figure 5: Process hollowing to
replace the contents of CvTres.exe in memory

The binary creates a registry key for persistence with the hardcoded
binary name dlrznz68mkaa.exe (a copy of the
original aya.exe) at the location shown in
Figure 6:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load


Figure 6: LATENTBOT persistence

The folder aFwLiiV and
filename dlrznz68mkaa.exe are hardcoded in
the resources section of the Confuser .NET
binaries. Figure 7 shows the resources content from aya_decrypted.exe.

Figure 7: Confuser .NET resources
showing malicious directory and file name

RegAsm.exe will be replaced in
memory with a shellcode loader that opens %windir%\system32\svchost.exe and uses the same
process hollowing technique to load a second shellcode loader that
eventually will decode and execute a fifth stage Delphi binary in

At this point, let’s see the new stages
discovered in Figure 8:


Figure 8: The many stages

Figure 9 shows a quick view of one of the decoder
functions inside the second shellcode loader that eventually decrypts
the fifth stage Delphi Binary:


Figure 9: Complex decoder function

Fifth Stage Delphi Binary

This is another launcher that uses the same process
hollowing technique we saw previously to execute the sixth stage
binary in another instance of svchost.exe.
This new binary is encoded in the resources section and decoded at
runtime with the function from Figure 10.

Figure 10: Decoder for sixth
stage binary

The process tree at this point with aya.exe, RegAsm.exe and
the two instances of svchost.exe can be seen
using the Process Explorer tool in Figure 11, with the sixth stage
being suspended:

Figure 11: Multiple Injections View

Sixth Stage Delphi Binary

The sixth stage is highly obfuscated; multiple encoded
strings can bee seen which represent API function names, CnC IP,
POST/GET parameters, HTTP headers, processes names, and so on, all of
which are decrypted at runtime.  

First the malware will
performs several validations. If the Windows OS version is 6.0
(Windows Vista, Windows Server 2008) or if the malware’s parent
process is not svchost.exe or explorer.exe (see Figure 12) then it will

Running Out of Battery?

If LATENTBOT is running on a laptop, it will query the
battery status via GetSystemPowerStatus and
if the battery is running Low or Critical, it will call SetThreadExecutionState try to prevent the system
from sleeping or turning the display off.

Figure 12: Processes names
decrypted to be validated

Is the BOT_Engine plugin installed?

Now LATENTBOT will check if its plugins are already
downloaded by querying the registry key below which should contain
subkeys with the encrypted modules:


If plugins are found, LATENTBOT will proceed to load
BOT_ENGINE, which is the main module (described in more detail below).
Otherwise, it will download the required plugins from a CnC server as
explained in the next section.

Data Exfiltration

If the plugins were not found, LATENTBOT will proceed to
download them, but it will first validate that the connection to the
CnC server is alive by making the TTP request shown in Figure


Figure 13:  LATENTBOT initial beacon

LATENTBOT then verifyies that the HTTP response is one
of the following:

•    200: The requested resource was
•    302: Found but in a different URI (Redirection)
•    307: Similar to 302

If none of the valid HTTP
responses shown above are received, it will try to connect again every
20 seconds indeterminately.

Assuming a valid HTTP
response was received, LATENTBOT will proceed to generate a beacon.
First, the URI is generated based on information from the infected
host; two examples are shown below:



•    All the GET parameters are decoded at
runtime. For example, tgsz0D decodes to
•    datael:
, where
<OS_Version> is one of the
    o    10 = Windows 2000 (5.0)
    o    20 =
Windows XP (5.1)
    o    30 = Windows XP 64-Bit, Windows Server
2003/R (5.2)
    o    40 = Windows Vista, Windows 2008
    o    70 = Windows 7, Windows Server 2008 R2
    o    80 = Windows 8, Windows Server 2012
 90 = Windows 8.1, Windows Server 2012 R2
•    random and the <random_number> used by datael are set
dynamically. For random, 10 characters are
randomly selected from the buffer abcdefghijklmnopqrstuvxyz.
datael randomly selects 12 integers from
the buffer 0123456789012345678912345678. The seed is
initialized with the Delphi function Randomize()and the Delphi
Random() function is called on each loop iteration, making
the callback different on each request.
    o    Note: The
<random_number> is stored in the
following registry key (created at runtime): \HKCU\Software\Adobe\Adobe Acrobat\data

•    os: Windows OS Major version, using the same codes as
OS_Version above.
•    acs: possible
values are 1 or 0. 1 is used if the malware is running under SYSTEM
•    x64: flag identifying the OS
•    The ver and gr parameter values are

Then the URI is encoded using a three steps
algorithm. The following will describe each step:

Step 1: Custom substitution routine

This routine substitutes valid URI characters using
custom hardcoded lookup tables, depending on the usage
(encoding/decoding) different lookup tables are used. Figure 14 shows
the lookup table used during the decoding phase:

Figure 14:  Decoding lookup table

This routine encodes/decodes one WORD at a time, each byte is
shifted right or left depending on the need (encoding/decoding) with a
specific value depending on the byte position as shown in Table

Table 1: Shift values

The result is added after each shift, as shown in Figure 15.

Figure 15: Shift calculations

Note: For encoding, depending on a parameter, the substitution
routine can choose from three different lookup tables; for this
sample, only one lookup table was used every time.

Step 2: XOR Modifier

The substituted data is passed is passed ot the XOR modifier shown
in Figure 16.

Figure 16: XOR Modifier routine

Different XOR modifiers are used as shown in Table 2:

Table 2: XOR modifier

The same XOR modifier algorithm has been used by
iBanking/TauSpy Android malware[2].

Step 3: Base64 encoding

The resulting encoded URI is then base64 encoded.

The whole algorithm can be expressed as follows:
encoded_uri  =
base64_encode(substitute (xor_modifier
(modifier, plain_text_uri)))
plain_text_uri = xor_modifier(modifier,

By applying the
substitution and XOR algorithms described above to the original


we get the following encoded URI:


This URI is transformed with standard Base64 encoding,
resulting in:


Which finally is used to send the beacon shown in Figure

Figure 17: Fully encoded LATENTBOT beacon

The CnC replies with:

The decoded URI yields:


Which is actually the name of a module (Bot_Engine, and a unique ID) to be downloaded
later during execution.

the Plugins

At this point, LATENTBOT is ready to start downloading
the different plugins by sending the beacon shown in Figure 18:

GET /m/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;
Cache-Control: no-cache

Figure 18: LATENTBOT download beacon

The modules names pretend to be ZIP files but are in
fact encoded data that is saved into the registry key secure as shown in Figure 19.

Figure 19: Registry keys storing
the malicious plugins

Decrypting the plugin names using the XOR modifier algorithm from
Figure 16 with modifier 0x2328 gives the
following module names:
1.    hdtWD3zyxMpSQB = Bot_Engine

2.    QdW/DoI2F9J = Security

3.    RRrIibQs+WzRVv5B+9iIys+17huxID = Remote_desktop_service

4.    VRWVBM6UtH6F+7UcwkBKPB = Vnc_hide_desktop

5.    zRlBb9ofmNVErtdu = Pony_Stealer

The registry values shown at the bottom of Figure 19
have a specific purpose depending on the plugin being used. The values
can be used as status or integrity-check flags or used to store
encoded binaries.

Figure 20 is a diagram showing how the
plugins will be loaded:

Figure 20: Plugins Architecture


A new DLL (InjectionHelper, see Figure 20) is decoded
from the resources of the sixth stage Delphi binary and loaded to the
current process via BTMemoryLoader, which
will eventually load (via the jMex export)
the main plugin BOT_ENGINE.
The main purpose of InjectionHelper
is to load svchost.exe and replace it in
memory – via the process hollowing technique – with the binary
supplied as an argument. This DLL is actually used by other plugins
any time a new binary needs to be loaded in memory.

InjectionHelper loads the BOT_ENGINE plugin,
it will re-inject itself into new instances of svchost.exe multiple times before commencing
execution, as seen in Figure 21.

Figure 21: BOT_ENGINE process
hollowing chain

Plugins Description


BOT_ENGINE is the main plugin responsible for loading
the rest of the plugins. The loading technique is the same as
previously documented using the BTMemoryLoader Library. BOT_ENGINE communicates
closely with the SECURITY module. The SECURITY module checks the
system to see if any antivirus solution was installed, using a list of
AV products’ default installation paths (see Appendix 1). This list is
encrypted with the algorithm from Figure 16 using the modifier 0xBB8.

If an AV is found on the
system, the callback will include a GET parameter av=<number> (e.g., Avast will be av=1).

There is also a check for GPUs
with EnumDisplayDevice that tries to detect
display cards from NVidia, ATI and Radeon and report the result with
the vidtype parameter:
3 possible
•    vidtype=1  for
•    vidtype=2   for ATI or
•    vidtype=0 for none of the

BOT_ENGINE is a Delphi program similar to the sixth
stage Delphi loader, but with patched stubs and new threads to do
specific tasks. It extracts data from resources and verifies their
signature using a public key embedded in the malware.
Extracting the public key

A key BLOB was imported via CryptImportKey API. The BLOB contains a 2048-bit
RSA public key used to verify signatures.

Following the
BLOB Header, we can find the 2048 bits RSA public key as shown in
Figure 22.

Figure 22: Public key BLOB
Structure in memory

Other GET parameters that may be sent are shown in Table

Table 3: Other GET Parameters

After BOT_ENGINE is successfully installed and all the
different checks are performed, a query is sent back to the CnC with
the status of plugin installation along with any errors identified.
The plugin GET parameter holds the plugin

Here is an example of a plain text beacon after the
BOT_ENGINE plugin is successfully installed:


Supported BOT_ENGINE commands are listed in Table

Table 4: BOT_ENGINE CnC Commands

PONY Plugin

This plugin is a recent version of Pony Stealer 2.0 malware that
comes with BITCOIN support to steal Bitcoin wallets as seen in Figure 23.

Figure 23: Bitcoin wallet

It looks for wallets for different cryptocurrencies
(similar to VNC Plugin). Refer to List of Bitcoin Wallets and
Currencies 1.

VNC Plugin

The VNC Plugin is actually more than what its name
suggests – it has multiple features:

•    Implements a
•    ICMP Requests
•    MBR Wiper
 Hidden VNC Remote Desktop
•    Manipulate the desktop
 Intercept mouse events

Supported VNC module commands are
listed in Table 5.

Table 5: VNC Plugin BOT Commands

Note: For every command executed, the BOT will send the
encrypted status result to the CnC.

VNC Plugin command: killosanduninstalls

When this command is executed, the following steps will

1. The malicious MBR wiper will be extracted and
decoded from the VNC plugin’s resources and then injected into a new
instance of svchost.exe via the
InjectionHelper  The MBR Wiper overwrites the first 512 bytes of the
hard drive represented by \\.\Physicaldrive0
and exits the injected process.
2.    The parent process will
proceed to delete any traces of the malware from the registry and file
3.    Malicious process running are terminated.
4.    Then the status message “kill os function started + uninstall
+ shutdown mashine from 10 sec …
” is sent to the CnC
 Finally a reboot is forced via the ExitWindowsEx API leaving the infected PC useless.
A quick overview of this process is shown in Figure 24.

Figure 24: Killing the infected PC

The MD5 of the MBR Wiper
(4d0b14024d4a7ffcff25f2a3ce337af8) was submitted to VirusTotal
7 times – from Russia – beginning in July 2013 and it has zero AV

Running VNC

By running the VNC Plugin module on a system, it is
possible to simply watch the end user (the victim, in this case) while
going unnoticed. This differs from a normal RDP session, which would
log off the end user and make the activity easy to identify.

The encoded VNC Plugin is stored in the registry under the


This key stores multiple encrypted subkeys as shown in
Figure 19. The binary will be decoded and injected into svchost.exe
via the InjectionHelper. The IP to connect to is encoded in the
Resources section.

Before injecting the VNC Plugin,
LATENTBOT will search for the following VNC processes running in the
system and kill them to avoid conflicts:

•    tvnserver.exe – TightVNC Software
•    winvnc.exe – UltraVNC Software
•     vncserver.exe – RealVNC Software
•    vncservice.exe – RealVNC Software

VNC Plugin command: getinstallpluginlist

When this command is executed, the plugin list will be
extracted from the registry, as already described. The registry values
will be separated by a dash and the plugins by a comma. The data will
then be encrypted and sent to the CnC server.

Figure 25
is an example of this decrypted plugin list:


Figure 25: Plugin list data decrypted in memory

VNC Plugin command: findgold

This searches the registry recursively starting at HKCU\Software\Classes for strings such as Bitcoin or TrueCrypt. It
also searches the file system starting at %APPDATA%\Roaming and $APPDATA\Roaming\Bitcoin for wallet.dat, MultiBit or Electrum. See Figure 23 in the appendix for a full
list of search terms.

VNC Plugin
command: sendCtrlAltDel

This functionality is implemented by loading as_sas32.dll and calling its sendCtrlAltDel export.

Information Gathering

The plugin will gather system information and report it
to the CnC server only, without using this to stop a process, which
might trigger an alert.

The section Searching for
malware analyst tools
in Appendix 1 lists the program names and
processes that LATENBOT is searching for. Keywords for SoftICE or filemon
(which are retired tools) suggest this specific module was created
long time ago. A specific ID will be assigned to every identified item
identified and will be reported to the CnC server.

same list of AVs listed in the BOT_ENGINE plugin were found in this

RDP Plugin

The built-in RDP client provides easy remote
administration of the victim computer to the attackers, although this
method would be more intrusive (potentially more noticeable to the
victim) than the VNC Plugin.


In this paper we presented different plugins being used
by LATENTBOT. Its architectural design allows the payloads to be
easily updated with new functionalities, so we will be tracking the
deployment of other plugins closely.

is highly obfuscated, due to the multiple process injections
performed, it is noisy enough to be easily detected in memory with a
proper behavior-based solution. Outbound callback tracking and
blocking is also mandatory in cases when the malware was able to
bypass the security controls in place.


Thanks to Nart Villeneuve for his help during this


[2] Original version can be found here: https://github[.]com/strazzere/android-scripts/blob/master/Decoders/TauSpy-iBanking/

Appendix 1



NT\CurrentVersion\Windows\Load  = %AppData%\Roaming\aFwLiiV\dlrznz68mkaa.exe

The binary is a copy of aya.exe

Acrobat\data = <random_value>

With 0 to 5 subkeys representing modules names:


CnC IPs (Some of them are
compromised legitimate websites):


af15076a22576f270af0111b93fe6e03 lssm.exe

BOT_ENGINE Plugin 1: The list of default installation
paths of popular AV

Documents and
Settings\All Users\Application Data\Agnitum
Documents and
Settings\All Users\Application Data\avg10
Documents and
Settings\All Users\Application Data\avg8
Documents and
Settings\All Users\Application Data\avg9
Documents and
Settings\All Users\Application Data\Avira
Documents and
Settings\All Users\Application Data\Doctor Web
Documents and
Settings\All Users\Application Data\ESET
Documents and
Settings\All Users\Application Data\f-secure
Documents and
Settings\All Users\Application Data\G DATA
Documents and
Settings\All Users\Application Data\Kaspersky Lab\
and Settings\All Users\Application Data\McAfee
Documents and
Settings\All Users\Application Data\Microsoft\Microsoft
Documents and Settings\All Users\Application
Data\PC Tools
Documents and Settings\All Users\Application
Documents and Settings\All Users\Application
Data\Trend Micro
Documents and Settings\All Users\AVAST
Documents and Settings\NetworkService\Local
Settings\Application Data\F-Secure
Program Files\Alwil Software
Files\AVAST Software
Program Files\AVG
Program Files\BitDefender9
Files\Common Files\Doctor Web
Program Files\Common Files\G
Program Files\Common Files\PC Tools
Program Files\ESET
Program Files\F-Secure
Internet Security
Program Files\FRISK Software
Files\Kaspersky Lab
Program Files\McAfee
Files\Microsoft Security Essentials
Program Files\Norton
Program Files\Panda Security
Files\PC Tools Internet Security

Program Files\Symantec
Files\Trend Micro
Program Files\Vba32

VNC Plugin:

Searching for malware analyst tools


PONY STEALER Plugin: List of
Bitcoin Wallets and Currencies 1

Bitcoin Currencies:



Electrum wallet
Multibit wallet

This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog