LATENTBOT
LatentBot is a highly obfuscated modular malware family that has been in the wild since at least 2013.
Profile source: Mallory opens in a new tabLATENTBOT
Family profile
LatentBot is a highly obfuscated modular malware family that has been in the wild since at least 2013. FireEye described it as using a modular plugin architecture and noted associations with Pony infostealer campaigns. It has been observed as a final payload delivered through malicious Microsoft Office RTF/Word documents exploiting CVE-2017-0199, where crafted documents used embedded OLE2 link objects to retrieve remote HTA/VBScript/PowerShell content via winword.exe and mshta.exe, terminate winword.exe to hide prompts, download additional stages, and open decoy documents. In one documented chain, the exploit downloaded components including maintenance.vbs, an obfuscated JavaScript stage, and a final executable (wood.exe) that was identified as a newer LatentBot variant. Reported LatentBot techniques include attrib.exe patching, svchost.exe code injection, SetThreadContext-based control transfer, and browser injection using ZwMapViewOfSection/NtMapViewOfSection. FireEye reported that the payload infrastructure changed during observation and that the LatentBot C2 moved to 217.12.203[.]100, though the server was offline at the time of analysis. Separately, Zscaler reported that newer Grandoreiro variants adopted a command-and-control communication pattern identical to LatentBot, specifically using "ACTION+HELLO" beacons and ID-based cookie value responses; similarities between Grandoreiro and LatentBot were first noted in 2020. U.S. government reporting also associated LatentBot with exploitation of CVE-2017-0199 affecting Microsoft Office and multiple Windows versions.
Exploited software
Vulnerabilities linked to LATENTBOT
1 CVEsMITRE ATT&CK
LATENTBOT in ATT&CK
4 distinct techniquesReporting
Research mentioning LATENTBOT
Grandoreiro banking malware targets manufacturers in Spain, Mexico
The C2 communication pattern is now identical to that of LatentBot, using "ACTION+HELLO" beacons and ID-based cookie value responses.
Top 10 Routinely Exploited Vulnerabilities | CISA
CVE-2017-0199 ... Associated Malware: FINSPY, LATENTBOT, Dridex
CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler " Threat Research Blog | FireEye Inc
"The final payload utilized in this malware is a newer variant of the LATENTBOT malware family."