Researchers at FireEye spotted a stealthy BOT dubbed “LATENTBOT” that has targeted the financial services and insurance sectors as well several other industries in the U.S., U.K., South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland.
The malicious application features, multiple layers of obfuscation, MBR wiping ability, hidden VNC connection and a modular design that allows easy updates on victim machines, according to a Dec. 11 blog post. LATENTBOT can also drop Pony malware as a module to act as infostealer, remove decrypted strings in memory after being used, hide applications in a different desktop, and ransomlock similarities, the post said.
These features allow the BOT to monitor victims while avoiding detection and provide it with the capability to potentially corrupt a hard drive. Researchers believe the malware has been active since mid-2013.
“Although LATENTBOT is highly obfuscated, due to the multiple process injections performed, it is noisy enough to be easily detected in memory with a proper behavior-based solution,” the post said.