Loda RAT Grows Up

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
Talos has observed several changes in this version of Loda. The obfuscation technique used within the AutoIT script changed to a different form of string encoding. Multiple persistence mechanisms have been employed to ensure Loda continues running on the infected host following reboots. Lastly, the new version leverages WMI to enumerate antivirus solutions running on the infected host.
Loda is a simple, yet effective, RAT that has matured over time. This RAT is a good example of how effective relatively simple techniques combined with basic obfuscation can be. The techniques this malware employs are of fairly low complexity and show that slight changes in implementation can significantly reduce detection rates. Telemetry from Cisco Umbrella shows that this campaign is quite active and seems to be targeting countries in South America, Central America and the U.S. The majority of the queries to the C2 domain "4success[.]zapto[.]org" originate from Brazil, Costa Rica and the United States. Similarly, the queries to "success20[.]hopto[.]org" originate from Argentina, Brazil and the United States. Our telemetry also shows that C2 communications go as far back as the last quarter of 2019.
image6.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top