A stealthy strain of malware resident only in memory has been quietly pwning victims around the world for two years.

The backdoor, dubbed Latentbot, that has been well hidden on the web since at least mid-2013 if not earlier. The payload never touches the victims' hard disks and stays only in memory, according to security researchers at FireEye.

“It has managed to leave barely any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless,” FireEye’s Taha Karim and Daniel Regalado explain in a blog post.

Latentbot infection cycle

Companies in US, UK, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland have all been targeted by Latentbot this year alone. FireEye detected the attacks from logs held by its Dynamic Threat Intelligence platform. Prime targets include firms in the financial services and insurance sectors.

“Although the infection strategy is not new, the final payload dropped – which we named Latentbot – caught our attention as it implements multiple, new layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organisations,” according to FireEye.

“The use of custom encryption algorithms and well-known protocols – such as the recent implementation of Diffie-Hellman in the Angler Exploit Kit – makes it more difficult to detect at the network level, thus raising the bar of sophistication,” it adds.

The modular design of the malware allows crooks to easily update malicious code on compromised machines and install secondary infections, such as the Pony infostealer that comes outfitted with modules for Bitcoin theft.

Latentbot won’t run in Windows Vista or Server 2008. The malware platform uses compromised websites as command infrastructure, making infection easier and detection harder. And command and control communications are encrypted.

One of the main vectors of infection is malicious emails containing an old Word exploit created with Microsoft Word Intruder (MWI) builder. When the attached Word document is opened, an embedded malicious executable runs, beaconing to the MWISTAT Server. This malicious code is a full-featured RAT that has the ability to steal passwords, record keystrokes, transfer files and enable attached microphones or webcams.

Most malware infections would stop there because the infected box is already comprehensively pwned. However FireEye researchers discovered another payload is being downloaded from a secondary Command and control server. This new module is Latentbot which, in turn, downloads further malicious payloads.

“Although Latentbot is highly obfuscated; due to the multiple process injection performed, it is noisy enough to be easily detected in memory with a proper behaviour-based solution,” according to FireEye. “Outbound callback tracking and blocking is also mandatory in cases when the malware was able to bypass the security controls in place.” ®