LodaRAT Malware Can Now Target Android DevicesTrojan's Operators Also Updated Version Used to Target Windows Devices
The developers of LodaRAT malware, which has previously only targeted Windows devices, have developed a new variant, Loda4Android, that targets Android devices, according to Cisco Talos.
See Also: 2021 Cyberthreat Defense Report
LodaRAT, previously known as Gaza007, is operated by a group called Kasablanca, which uses the malware for cyberespionage and information stealing, say researchers Warren Mercer, Chris Neal and Vitor Ventura, who analyzed the malware for Cisco Talos.
"The operators of this Loda campaign appear to have a specific interest in Bangladesh-based organizations, namely banks and carrier-grade voice-over-IP software vendors, which we observed on several lures attempting to distribute the malware droppers," the researchers say. "The default victim ID on the Windows version is 'munafa,' which is the Urdu and Bengalese word for "profit."
Kasablanca has used Loda4Android along with the updated version of the original Loda4Windows to wage an ongoing campaign that started in October 2020, targeting devices in Bangladesh and other nations, the researchers say.
LodaRAT has been active since 2016, previously hitting targets in the U.S., Costa Rica, Brazil and Argentina.
Loda4Android and Loda4Windows are distributed through phishing emails that contain malicious attachments, the report notes.
"Both versions of this new iteration pose a serious threat, as they can lead to a significant data breach or heavy financial loss. The group has decided to deploy a cross-platform malware with some additional capabilities, suggesting they have their eyes on targeting larger organizations over time," the researchers say.
Kasablanca previously revamped LodaRAT last February and September.
In the first stage of an attack on either an Android or Windows device begins with a phishing campaign. An email or SMS text recipient is enticed to open a malicious attachment hiding the malware capable of exploiting CVE-2017-11882 in Microsoft Office. This remote code execution vulnerability allows an attacker to run arbitrary code as the user by failing to properly handle objects in memory. A patch was issued in 2017, the report notes.
The researchers say the first stage infection does not use any obfuscation techniques and the code is written in plain text.
In the second stage of the attack, the malware bypasses AppLocker in Windows by abusing the regsvr32 command. This technique allows an attacker to download and execute an SCT file while simultaneously bypassing Applocker, the researchers say.
Kasablanca's developers obtained the template used to create the SCT file from a GitHub repository. Github was identified as the source because the comments made by the template's creators and left in the code were not removed by Kasablanca when it was used with its malware, according to Cisco Talos.
Both versions of LodaRAT are infostealers that can record the users' location and environment audio, take photos and screenshots and record what the targeted says on calls.
The malware can exfiltrate the SMS texts, the call log and contacts, but it cannot intercept SMS messages or phone calls - capabilities commonly seen in other banking Trojans, the researchers note.
It can also read SMS and call log information from the device's memory and send texts and calls to specific numbers, according to the report.
The stolen information is then monetized as soon as possible, the researchers say. There is also some additional evidence that Kasablanca may be looking to directly capitalize on its work.
"The lures used in the current campaign are largely posing as financial institutions which gives some insight into what targets LodaRAT is trying to compromise. The new capabilities of both the Android and Windows version point toward sensitive information gathering," Neal says.
New for Windows
The latest Loda4Windows, version 1.1.8, gives hackers remote access to the infected computer using Microsoft's remote desktop protocol, which, once connected is used to make changes to the device. This includes altering the registry key to allow RDP connections, turning off the firewall and adding a "guest" admin with the password "123."
Another new malicious feature is the ability to capture local audio through the device's microphone using the BASS audio library. Previously, the malware used Windows' built-in Sound Recorder.
"The reason for abandoning the previous method is likely because Windows Sound Recorder can only record audio for a maximum of 60 seconds. The new method allows for any length of recording time specified by the threat actor," the report notes.