The LodaRAT malware - a known remote access trojan with extensive data collection and exfiltration capabilities - has steadily evolved over the years with new functionalities, and the malware is being increasingly deployed alongside other malware families, indicating that the RAT has garnered interest from various threat actors, according to new research.
First discovered in September 2016, the remote access trojan comes with a number of capabilities for spying on victims, such as recording the microphones and webcams of victims’ devices. The RAT, which is written in AutoIT, appears to be distributed by multiple cybercrime groups that have been using it to target numerous verticals.
The malware has continually evolved over the years, improving its espionage capabilities for Android and Windows systems, for instance. On Thursday, researchers said that new LodaRAT variants uncovered in the wild shows more changes to the malware, with the addition of some functionalities and removal of others.
“While some of these changes appear to be purely for an increase in speed and efficiency, or reduction in file size, some changes make Loda a more capable malware,” said researchers with Cisco Talos on Thursday. “Many of the LodaRAT samples we analyzed have removed functionality in some way, which may be the author’s attempt to reduce detection rates.”
The biggest additions to the malware include a function that automatically copies the RAT’s files onto every mounted removable storage device - a capability that required non-automated, individual commands in previous versions of the malware. A LodaRAT variant was also observed using a string encoding algorithm that aims to improve the speed of decoding strings and make execution quicker overall.
Newer variants have also cut out several “dead” - or non-functional - commands from the components of the malware’s code. For instance, these include a function that downloads an x64 SQLite3 DLL - which helps LodaRAT extract data from browser databases - from the official AutoIT website. The download URL here returns a 404 HTTP response, making it a “dead” function and stopping threat groups from successfully executing the function on x64-based targets.
“While some of these changes appear to be purely for an increase in speed and efficiency, or reduction in file size, some changes make Loda a more capable malware."
“As it grows in popularity, it is reasonable to expect additional alterations in future. The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities,” said researchers.
Researchers also found that LodaRAT was increasingly being deployed alongside - or by - various other malware families, indicating interest in the RAT by various other threat groups. For instance, a Neshta binary was seen containing the payloads for both the LodaRAT and the more advanced RedLine information stealer.
Additionally, a previously undocumented variant of VenomRAT, called S500, was observed deploying the malware, for instance. S500, which was first announced in the beginning of April on a seller’s Telegram channel, is a .NET commodity malware that enables threat groups to run hidden desktop environments on infected machines. In an S500 campaign, researchers found LodaRAT being automatically decrypted and dropped on victim systems after execution.
“Although it is a stripped down version of VenomRAT, S500 can still pose a significant threat to an infected host,” said researchers. “Its ability to copy profiles from browsers can lead to serious data and financial loss. As its source code is now publicly available, various threat actors are likely to continue using this variant in the future.”
Researchers said that they expect to see more complex variants of LodaRAT in the future, especially with more threat actors looking to customize the malware.
“In conjunction with the appearance of new variants, it is expected that LodaRAT will continue to be dropped alongside other malware families,” they said. “Being readily available and easy to customize, it has become an attractive tool for some attackers.”