A newly discovered variant of the LodaRAT malware, which has historically targeted Windows devices, is being distributed in an ongoing campaign that now also hunts down Android devices and spies on victims.
Along with this, an updated version of LodaRAT for Windows has also been identified; both versions were seen in a recent campaign targeting Bangladesh, researchers said.
The campaign reflects an overarching shift in strategy for LodaRAT’s developers, as the attack appears to be driven by espionage rather than its previous financial goals. While previous versions of LodaRAT contained credential-stealing capabilities that researchers speculated were used for draining victims’ bank accounts, these newer versions come with a full roundup of information-gathering commands.
“The fact that the threat group has evolved into hybrid campaigns targeting Windows and Android shows a group that is thriving and evolving,” said researchers with Cisco Talos, on Tuesday. “Along with these improvements, the threat actor has now focused on specific targets, indicating more mature operational capabilities. As is the case with earlier versions of Loda, both versions of this new iteration pose a serious threat, as they can lead to a significant data breach or heavy financial loss.”
What is the LodaRAT Malware?
LodaRAT, first discovered in September 2016, is a remote access trojan (RAT) that comes with a variety of capabilities for spying on victims, such as recording the microphones and webcams of victims’ devices. The name “Loda” is derived from a directory to which the malware author chose to write keylogger logs.
Since its discovery in 2016 the RAT has proliferated, with multiple new versions being spotted in the wild as recently as September. The RAT, which is written in AutoIT, appears to be distributed by multiple cybercrime groups that have been using it to target numerous verticals.
Recent LodaRAT Cyberattack in Bangladesh
Researchers observed a campaign involving LodaRAT that began in October and is still active. The attackers appear to have a specific interest in Bangladesh-based organizations, including banks and carrier-grade voice-over-IP (VoIP) software vendors.
Vitor Ventura, Cisco Talos’ technical lead and senior security researcher, told Threatpost that the initial attack vectors for the campaign involved emails sent to victims with links to malicious applications (involving both the Windows and Android versions) or malicious documents (involving just the Windows version).
“The campaign uncovered targeting Bangladesh used different levels of lures, from type squatted domains, to file names directly linked to products or services of their victims,” said researchers.
For the Windows-targeting maldoc attack, after the victim clicked on the malicious documents, attackers used a malicious RTF document, which exploits CVE-2017-11882 (a remote code-execution vulnerability existing in Microsoft Office) in order to then download LodaRAT.
LodaRAT’s New Android Variant
The Android version of the LodaRAT malware, which researchers call “Loda4Android,” is “relatively simple when compared to other Android malware,” said researchers. For instance, the RAT has specifically avoided techniques often used by Android banking trojans, such as leveraging the Accessibility APIs, in order to steal data.
The underlying command-and-control (C2) protocol follows the same design pattern as the Windows version, said researchers – suggesting that the C2 code will be able to handle both versions.
Also, Loda4Android has “all the components of a stalker application” said researchers. The malware collects location data and records audio, and can take photos and screenshots.
“It can record audio calls, but it will only record what the victim says but not what the counterpart says,” said researchers. “The common SMS, call log and contact exfiltration functionalities are also present. It is interesting to note that it’s not capable of intercepting the SMS or the calls, like it’s usually seen in banker trojans.”
Fresh Windows Loda Version
The new version of the LodaRAT that targets Windows systems is version 1.1.8. While it’s mostly the same as previous versions, new commands have been added that extend its capabilities.
For one, the version comes with new commands that give the threat actor remote access to the target machine via the Remote Desktop Protocol (RDP). The new version can now leverage the BASS audio library to capture audio from a connected microphone. BASS is used in Win32, macOS, Linux and PocketPC software to provide streaming and recording functions for music.
“This new command is an improvement on the previous ‘Sound’ command which used Windows’ built in Sound Recorder,” said researchers. “The reason for abandoning the previous method is likely because Windows Sound Recorder can only record audio for a maximum of 60 seconds. The new method allows for any length of recording time specified by the threat actor.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!