Researchers have observed a new malware campaign that’s been targeting the U.S., Argentina, Brazil and Costa Rica with an updated variant of the Loda RAT remote access trojan.
In a company blog post on Wednesday, Cisco Talos said that since at least the last quarter of 2019, the campaign has been using malicious websites to host malicious documents that are used in a multi-step infection chain designed to bypass email filters and deliver Loda version 1.1.1.
This new version of Loda functions similarly to previous iterations, but with a few notable differences, states Talos. Changes including a new form a string encoding for obfuscation, multiple persistence mechanisms to help the malware survive reboots, and the leveraging of Windows Management Instrumentation (WMI) to list out antivirus solutions running on the victim machine. Due to the campaign’s obfuscation techniques, detection rates have so far been low, the blog post adds.
The perpetrators’ choice of attack vector has been phishing emails, including one email shown in the blog post that was written in Spanish and posed as an urgent reservation request. The emails contain an attached first-stage document, which points to a secondary document saved in Rich Text Format (RTF). The secondary document includes an obfuscated OLE object which leverages the Windows Office code execution exploit CVE-2017-11882 to download and execute an MSI file containing Loda.
Written in AutoIT, Loda dates back to 2017 and is typically used to spy on victims due to its ability to steal browser-based usernames, password and cookies; perform keylogging; and secret record sound and take screenshots.