LodaRAT – known for targeting Windows devices – has been discovered also targeting Android devices in a new espionage campaign.
A newly discovered variant of the LodaRAT malware, which has historically targeted Windows devices, is being distributed in an ongoing campaign that now also finds Android devices & spies on victims.
Along with this, an updated version of LodaRAT for Windows has also been identified; both versions were seen in a recent campaign targeting Bangladesh, researchers commented.
Driven by Espionage
The campaign reflects an overarching shift in strategy for LodaRAT’s developers, as the attack appears to be driven by espionage rather than its previous financial goals. While previous versions of LodaRAT contained credential-stealing capabilities that researchers speculated were used for draining victims’ bank accounts, these newer versions come with a full roundup of information-gathering commands.
“The fact that the threat group has evolved into hybrid campaigns targeting Windows and Android shows a group that is thriving & evolving,” stated researchers with Cisco Talos, on Tues.
“Along with these improvements, the threat player has now focused on specific targets, indicating more mature operational capabilities. As is the case with earlier versions of Loda, both versions of this new iteration pose a serious threat, as they can lead to a significant data breach or heavy financial loss.”
LodaRAT Malware?
LodaRAT, 1st discovered in Sept. 2016, is a remote access trojan (RAT) that comes with a variety of capabilities for spying on victims, such as recording the microphones and webcams of victims’ devices.
The name “Loda” is derived from a directory to which the malware author chose to write keylogger logs.
Since its discovery in 2016 the RAT has proliferated, with multiple new versions being spotted in the wild as recently as September. The RAT, which is written in AutoIT, appears to be distributed by multiple cybercrime groups that have been using it to target numerous verticals.
Bangladesh Cyber-attack
Researchers observed a campaign involving LodaRAT that began in Oct. & is still active. The attackers appear to have a specific interest in Bangladesh-based organisations, including banks & carrier-grade voice-over-IP (VoIP) software vendors.
Vitor Ventura, Cisco Talos’ Technical Lead & Senior Security Researcher, explained that the initial attack vectors for the campaign involved emails sent to victims with links to malicious applications (involving both the Windows & Android versions) or malicious documents (involving just the Windows version).
Type-Squatted Domains
“The campaign uncovered targeting Bangladesh used different levels of lures, from type-squatted domains to file names directly linked to products or services of their victims,” explained researchers.
With the Windows-targeting maldoc attack, after the victim clicked on the malicious documents, attackers used a malicious RTF document, which exploits CVE-2017-11882 (a remote code-execution vulnerability existing in Microsoft Office) in order to then download LodaRAT.
Android Variant
The Android version of the LodaRAT malware, which researchers call “Loda4Android,” is “relatively simple when compared to other Android malware,” explained researchers. For example, the RAT has specifically avoided techniques often used by Android banking trojans, such as using the Accessibility APIs, in order to steal data.
The underlying command-&-control (C2) protocol follows the same design pattern as the Windows version, observed researchers – suggesting that the C2 code will be able to handle both versions.
Stalker Application
Also, Loda4Android has “all the components of a stalker application” observed researchers. The malware collects location data & records audio & can take photos and screenshots.
“It can record audio calls, but it will only record what the victim says but not what the counterpart says,” observed researchers. “The common SMS call log & contact exfiltration functionalities are also present. It is interesting to note that it’s not capable of intercepting the SMS or the calls, like it’s usually seen in banker trojans.”
Fresh Windows
The new version of the LodaRAT that targets Windows systems is version 1.1.8. While it is mostly the same as previous versions, new commands have been added that extend its capabilities.
This version comes with new commands that give the threat player remote access to the target machine via the Remote Desktop Protocol (RDP).
The new version can now use the BASS audio library to capture audio from a connected microphone. BASS is used in Win32, macOS, Linux & PocketPC software to provide streaming & recording functions for music.
Sound Recorder
“This new command is an improvement on the previous ‘Sound’ command which used Windows’ built in Sound Recorder,” stated researchers.
“The reason for abandoning the previous method is likely because Windows Sound Recorder can only record audio for a maximum of 60 secs. The new method allows for any length of recording time specified by the threat actor.”
https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/
