Loda RAT Grows Up

[upnorth]

Content source

https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html

Talos has observed several changes in this version of Loda. The obfuscation technique used within the AutoIT script changed to a different form of string encoding. Multiple persistence mechanisms have been employed to ensure Loda continues running on the infected host following reboots. Lastly, the new version leverages WMI to enumerate antivirus solutions running on the infected host.

Loda is a simple, yet effective, RAT that has matured over time. This RAT is a good example of how effective relatively simple techniques combined with basic obfuscation can be. The techniques this malware employs are of fairly low complexity and show that slight changes in implementation can significantly reduce detection rates. Telemetry from Cisco Umbrella shows that this campaign is quite active and seems to be targeting countries in South America, Central America and the U.S. The majority of the queries to the C2 domain "4success[.]zapto[.]org" originate from Brazil, Costa Rica and the United States. Similarly, the queries to "success20[.]hopto[.]org" originate from Argentina, Brazil and the United States. Our telemetry also shows that C2 communications go as far back as the last quarter of 2019.