Cisco talos released a threat advisory of LodaRAT and its variant "LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta.
Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
Changes in these LodaRAT variants include new functionality allowing proliferation to attached removable storage, a new string encoding algorithm and the removal of “dead” functions
A relatively unknown VenomRAT variant named S500 has been observed deploying LodaRAT.
Since our first blog post in February of 2020 on the remote access tool (RAT) known as LodaRAT (or Loda), Cisco Talos has monitored its activity and covered our findings in subsequent blog posts, listed below:
LodaRAT Update: Alive and Well
Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows
As a continuation of this series, this blog post details new variants and new behavior we have observed while monitoring LodaRAT over the course of 2022. In this post, we will take an in-depth look at some of the changes in these variants. As detailed below, some changes are rather small; however, some variants have made significant alterations, including both removal of code and implementing additional functionality.
In addition to these findings we have discovered that Loda appears to have garnered attention from various threat actors. In a handful of the instances we identified, Loda was deployed alongside–or dropped by–other malware. These include RedLine, Neshta and a previously undocumented VenomRAT variant named S500.
Changes in Loda and its variants
LodaRAT is written in AutoIt, a well known scripting language typically used to automate administrative tasks in Windows. AutoIt scripts can be compiled into standalone binaries, allowing them to be executed on a Windows machine whether or not AutoIt is installed on the host. The original source code can be easily retrieved from these compiled binaries by using an AutoIt decompiler.
As discussed in our previous blog posts, LodaRAT will typically utilize function obfuscation, as well as string encoding to impede analysis. However, there are many examples which are non-obfuscated that contain the original function names and strings. If a threat actor does not have access to its source code through other means, all that is required to create their own variant of Loda is decompile the script, make the desired changes, and then recompile it. In addition, LodaRATs C2 communications are not encrypted, making it trivial to implement a custom C2 infrastructure. This ease of source code retrieval and customization has likely contributed to the proliferation of numerous variants and customized versions of LodaRAT.
As such, due to the variations between the samples we observed, the changes discussed in this blog post are from multiple variants and altered versions of LodaRAT, therefore each change does not apply to every variant. It is quite common to find altered versions of LodaRAT, and it should be expected that most samples will likely have some sort of alteration to the source code." talos published in its advisory
No comments:
Post a Comment