Researchers have documented the evolution of Loda, a Remote Access Trojan (RAT) which is leaving its simple roots to become an established threat in the US and other countries.
Loda was first observed in 2016. According to Proofpoint, the AutoIT-based RAT is able to access and exfiltrate both system and user information, act as a keylogger, take screenshots, launch and close processes, and download additional malware payloads via a connection to a command-and-control (C2) server.
A new version of the Trojan has been tracked in past months, revealing an upgraded arsenal.
Deemed a "simple yet effective RAT that has matured over time," the malware has been spotted in recent campaigns targeting victims across the US, alongside South and Central America, Cisco Talos cybersecurity researcher Chris Neal said on Wednesday.
The latest variant of Loda, version 1.1.1, has revamped obfuscation techniques to improve its stealth capabilities and new mechanisms are also in play to maintain persistence on systems after shutdown.
While similar to past versions, the majority of Loda's strings and variables are now encoded and the malware is able to perform WMI queries to detect installed antivirus software. Another new capability is the ability to read the contents of "\filezilla\recentservers.xml," a document that contains IP addresses, usernames, and passwords used by Filezilla servers.
The active attack wave, going back as far as the final quarter of 2019, sends the bulk of its C2 server queries to 4success[.]zapto[.]org from Brazil, Costa Rica, and the US. Another domain believed to be involved, success20[.]hopto[.]org, is receiving queries from Argentina, Brazil, and the United States.
These domains are key in the Loda infection chain as they host documents that ultimately serve malicious payloads.
The attack begins with a common technique, a phishing email, which contains a first-stage malicious document as an attachment. One sample investigated by the researchers, titled "comprobante de confirmación de pago.docx," contains an OOXML relationship that points to a second document, a Rich Text Format (RTF) file hosted on lcodigo[.]com.
The RTF file contains the author tag "obidah qudah" which has been connected to close to 1,300 malicious RTF files uploaded to VirusTotal since 2017.
To conceal its malicious nature, the RTF file contains an OLE exploit with the exploit embedded inside, and a control word technique is used to break up the object and prevent parsers from fully reading the file.
If downloaded, the second document will attempt to exploit CVE-2017-11882, a memory corruption vulnerability found in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016. The critical security flaw permits the execution of arbitrary code if exploited.
Cofense researchers have found other samples that utilize the same security vulnerability. Emails related to life insurance, subscriptions, and Amazon 'changes' in policy have been connected to past campaigns.
Should an infection attempt prove to be successful, a malicious MSI file is served to the victim containing the Trojan.
"Loda is simple yet has proven to be effective, and poses a serious threat to an infected host," the researchers say. "The credential-stealing capabilities could lead to significant financial loss or a potential data breach. [..] and the change in persistence mechanisms and AV solution detection show that the malware authors are actively improving the functionality of Loda."
Talos researchers have provided Indicators of Compromise (IoCs) which can be accessed here.
Previous and related coverage
- Intel warns of critical security flaw in CSME engine, issues discontinued product notices
- KBOT virus takes out system files with no hope of recovery
- Outlaw hacking group kills existing cryptocurrency miners in enterprise server attacks
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0