Threat actors have been actively employing Loda, a remote access trojan (RAT) developed in AutoIT, an accessible language for automating Windows computer scripting.
The malware may deliver various harmful payloads in addition to keylogging, taking pictures, and stealing passwords and other sensitive information.
The most frequent attack method used to infect victims’ systems with Loda is phishing email campaigns, which have been used since 2016.
The Kasablanka group, an advanced persistent threat (APT) from Morocco that often released new versions of the malware, appears to have been the original developers of Loda.
Other threat actors also use the malware, such as YoroTrooper, who has used a Loda malware variant to attack numerous organizations globally, with the most recent attacks starting as early as 2023.
Targeting mostly hospitality companies in Europe and North America, TA558 is another APT that uses Loda in its harmful operations.
Capabilities of Loda Malware
- Utilize Remote Desktop Protocol (RDP) to access the infected machine.
- Data and file theft.
- Run more malicious software that has been uploaded to the system.
- Keep track of user keystrokes and mouse clicks.
- Listen to the microphone.
- Take screenshots and webcam pictures.
- Use a chat window to communicate with the victim.
- To get a list of every antivirus program installed on the host machine, do a WMI query.
The Working of Loda RAT
According to the Any Run report shared with Cyber Security News, Threat actors use phishing email campaigns to spread Loda onto victims’ computers. Typically, such emails include attachments in various forms, such as PDFs, executables, and Microsoft Office documents, all of which contain dangerous malware.
Loda RAT employs string obfuscation on most of its variables, making it challenging for security researchers to analyze its code.
Loda RAT initializes the variables appropriately and deobfuscates the strings during runtime. Another method that Loda RAT uses is function name randomization, which involves giving functions in the code random names.
Loda replicates itself within the temporary files folder of the targeted machine, then runs the copy to avoid detection. Additionally, Loda RAT creates a scheduled job to launch immediately as soon as the machine boots up.
Following the execution, the malware sends critical system information to its C&C server, including the IP address, operating system version, and architecture.
Analyzing any suspicious attachment or URL in a free interactive malware sandbox like ANY.RUN can instantly provide you with a conclusive verdict.
Loda RAT also has an Android version. It is a tracking tool that can track down victims and record any audio-based conversations that start with the user. In addition, it can spy on SMSs and even place calls without the users’ awareness.
Loda first dumps executables into the %appdata%, Startup, and Temp directories. After that, it launches a service using schtasks to gain persistence, runs a Visual Basic script, and connects to the C&C server.
A sample of Loda RAT executed in the ANY.RUN interactive sandbox exposes the malware’s malicious activities and IOCs.
Several criminal groups employ Loda RAT. For instance, to disseminate Loda and Revenge RAT in 2019, TA558 used PowerPoint attachments loaded with macros. In contrast, in 2022, the group shifted to container formats (such as RAR) and broadened their payload choices to include AsyncRAT.
Similarly, the Kasablanka APT launched a multi-stage attack in 2022 that targeted government institutions and used .iso email attachments for distributing the Loda and WarZone RAT malware.
Many criminal actors use the configuration design and accessibility of this malware to launch attacks on companies and governmental institutions worldwide.
Therefore, the simplest way to prevent Loda from unintentionally installing on your system is to avoid opening spam emails and exercise caution when opening suspicious URLs and files.
We recommend ANY.RUN sandbox for free without limit to get nearly instant reports on any file or link, gain an in-depth look at their activities, and discover the latest samples in the service’s database.
Experience the Power of Interactive Malware Analysis from ANY(.)RUN For Free Here