LatentBot Trojan spreading via the Rig Exploit Kit

The malware is not very sophisticated and has a high detection rate amongst anti-virus vendors.

The malware acts as a keylogger, form-grabber and is able to provide remote access to malicious actors through VNC or Remote Desktop (RDP) similar to Remote Access Trojans (RAT)

LatentBot has a relatively complicated installation process that is designed to hinder researchers’ ability to analyse its actions and help it to remain quiet on the operating system.

There are several modules involved in LatentBot, are responsible for various actions. After LatentBot is deployed, the malware installs itself and injects into the svchost process, it will then remove the binary downloaded.

Most of the modules are obfuscated, and use encoded names for modules and responses, making it harder to analyse.

LatentBot downloads the following modules:

• FtUFJu5xP3C (formgrab) - This module is responsible for grabbing form data.
• hdtWD3zyxMpSQB (Bot_Engine) - This module is responsible for communications with the Command and Control (C2) server and fingerprinting the environment.
• l551X+rNDh3B4A (Found_Core) - This module is used to export various functions that can be used to make injections into 64bit applications.
• QdG8eO0qHI8/Y1G (send_report) - This module is responsible for sending reports about the operation status.
• QdW/DoI2F9J (security) - This module is responsible for detecting what security programs are being run on the infected device.
• RRrIibQs+WzRVv5B+9iIys+17huxID (remote_desktop_service) - This module, as the name suggests, is responsible for allowing remote access via RDP.
• VRWVBM6UtH6F+7UcwkBKPB (vnc_hide_desktop) - This module, as the name suggests, is responsible for allowing remote access through VNC.
• w97grmO (Socks) - This module is responsible for creating a SOCKS proxy.