Skip to content
Malware family

LATENTBOT

LatentBot is a highly obfuscated modular malware family that has been in the wild since at least 2013.

Profile source: Mallory opens in a new tab

LATENTBOT

Family profile

LatentBot is a highly obfuscated modular malware family that has been in the wild since at least 2013. FireEye described it as using a modular plugin architecture and noted associations with Pony infostealer campaigns. It has been observed as a final payload delivered through malicious Microsoft Office RTF/Word documents exploiting CVE-2017-0199, where crafted documents used embedded OLE2 link objects to retrieve remote HTA/VBScript/PowerShell content via winword.exe and mshta.exe, terminate winword.exe to hide prompts, download additional stages, and open decoy documents. In one documented chain, the exploit downloaded components including maintenance.vbs, an obfuscated JavaScript stage, and a final executable (wood.exe) that was identified as a newer LatentBot variant. Reported LatentBot techniques include attrib.exe patching, svchost.exe code injection, SetThreadContext-based control transfer, and browser injection using ZwMapViewOfSection/NtMapViewOfSection. FireEye reported that the payload infrastructure changed during observation and that the LatentBot C2 moved to 217.12.203[.]100, though the server was offline at the time of analysis. Separately, Zscaler reported that newer Grandoreiro variants adopted a command-and-control communication pattern identical to LatentBot, specifically using "ACTION+HELLO" beacons and ID-based cookie value responses; similarities between Grandoreiro and LatentBot were first noted in 2020. U.S. government reporting also associated LatentBot with exploitation of CVE-2017-0199 affecting Microsoft Office and multiple Windows versions.

Exploited software

Vulnerabilities linked to LATENTBOT

1 CVEs

MITRE ATT&CK

LATENTBOT in ATT&CK

4 distinct techniques

Reporting

Research mentioning LATENTBOT

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.