A new variant of the LodaRAT malware is actively targeting Windows users worldwide in an ongoing campaign to steal sensitive information, including login credentials and browser cookies.
Cybersecurity researchers at Rapid7 have uncovered this latest iteration of the remote access trojan (RAT), which has been in circulation since 2016.
The updated LodaRAT version demonstrates enhanced capabilities, particularly in its ability to extract cookies and passwords from popular web browsers like Microsoft Edge and Brave.
This represents a significant evolution from its original purpose of information gathering, as the malware now possesses a wide array of functions for data exfiltration, additional malware delivery, screen capture, and even control over the victim’s camera and mouse.
Unlike previous versions that relied on phishing emails and known vulnerability exploitation, the new LodaRAT samples are being distributed through more sophisticated means. Researchers at Rapid7 have observed the malware being deployed via DonutLoader and CobaltStrike, two well-known malware delivery tools.
Additionally, LodaRAT has been found on systems infected with other malware families such as AsyncRAT, Remcos, and Xworm, though the exact relationship between these infections remains unclear.
While earlier campaigns of LodaRAT targeted specific countries or organizations, the current attack appears to have a much broader scope.
.webp)
Victims have been identified across the globe, with approximately 30% of samples uploaded to VirusTotal originating from the United States. This shift in targeting strategy suggests either a change in the threat actor’s objectives or potentially indicates that multiple groups are now utilizing the LodaRAT codebase.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Technical Analysis
Upon execution, LodaRAT employs various techniques to establish persistence on infected systems. These methods include:-
- Adding entries to the Windows registry run key
- Creating scheduled tasks to execute the malware regularly
- Disguising itself as legitimate software like Discord, Skype, or Windows Update
The malware performs initial reconnaissance on the infected system, gathering information such as the OS version, user privileges, antivirus status, and hardware details.
This data is then transmitted to the command and control (C2) server, allowing the attackers to tailor their approach to each victim.
LodaRAT’s capabilities have grown significantly since its inception. Key features of the latest version include:
- Downloading and executing additional payloads
- Remote command execution
- Mouse and keyboard control
- Screen capture and webcam access
- Browser credential and cookie theft
- Windows Firewall manipulation
- File enumeration and exfiltration
- Audio recording via microphone
- Local user account creation
The continued evolution and widespread distribution of LodaRAT underscore the persistent threat posed by well-established malware families.
Despite being in circulation for nearly eight years, LodaRAT remains an effective tool for cybercriminals, capable of causing significant financial and data security damage to infected organizations and individuals.
To mitigate the risk of LodaRAT infections, users and organizations should:
- Keep all software and operating systems up-to-date
- Implement robust email filtering and anti-phishing measures
- Use reputable antivirus and endpoint detection solutions
- Educate employees about the risks of opening suspicious attachments or links
- Regularly back up important data and store backups offline
- Monitor systems for unusual activity or unauthorized access attempts
As LodaRAT continues to evolve and spread, maintaining vigilance and implementing strong cybersecurity practices remain crucial in defending against this persistent threat.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.