By Chris Neal.During our continuous monitoring of LodaRAT, Cisco Talos observed changes in the threat that add new functionality.
Multiple new versions of LodaRAT have been spotted being used in the wild.
These new versions of LodaRAT abandoned their previous obfuscation techniques.
Direct interaction with the threat actor was observed during analysis, indicating the actor is actively monitoring infected hosts.
What's New?
Talos recently identified new versions of LodaRAT, a remote access trojan written in AutoIt. Not only have these versions abandoned their usual obfuscation techniques, but several functions have also been rewritten and new functionality has been added. In one version, a hex-encoded PowerShell keylogger script has been added, along with a new VB script, only to be removed in a later version. Direct interaction from the threat actor was observed during analysis.
So What?
Since our blog post on Loda in February 2020, Talos has been continually monitoring LodaRAT for new behavior. Recently there have been several changes that indicate that the authors are learning new techniques to improve the effectiveness of Loda. While these changes are somewhat minor, it shows that the authors are continually developing Loda into a more robust RAT.
Distribution
In previous campaigns, the infection chain started with a malicious Microsoft Word document that downloaded a second document which then exploited CVE-2017-11882. The exploit payload in turn downloaded an MSI that contained the compiled Loda AutoIt script.
The samples analyzed in this post were distributed in ..
Support the originator by clicking the read the rest link below.
