A new variant of the LodaRAT malware is currently making waves in the cybersecurity landscape, actively targeting Windows users across the globe in a concerted effort to siphon off sensitive information, including login credentials and browser cookies. This latest iteration, uncovered by cybersecurity experts at Rapid7, marks a significant evolution in the malware’s capabilities since its initial emergence in 2016.
The updated version of LodaRAT showcases enhanced functionalities, particularly in its ability to extract cookies and passwords from widely-used web browsers such as Microsoft Edge and Brave. This advancement signifies a shift from its original role focused primarily on information gathering to a more complex toolkit designed for data exfiltration, malware delivery, screen capture, and even taking control of the victim’s camera and mouse.
In contrast to earlier versions that predominantly relied on phishing emails and exploiting known vulnerabilities, the distribution methods for this new LodaRAT variant have become notably more sophisticated. Rapid7 researchers have identified that the malware is being disseminated through established malware delivery tools like DonutLoader and CobaltStrike. Furthermore, instances of LodaRAT have been detected on systems already compromised by other malware families, including AsyncRAT, Remcos, and Xworm, although the precise connections between these infections remain somewhat ambiguous.
Historically, LodaRAT campaigns targeted specific regions or organizations; however, the current wave appears to have broadened its reach significantly. Victims have been reported worldwide, with around 30% of samples uploaded to VirusTotal originating from the United States. This change in targeting strategy may reflect a shift in the threat actor’s objectives or suggest that multiple groups are now leveraging the LodaRAT codebase.
Technical Analysis
Upon execution, LodaRAT employs a variety of techniques to ensure persistence on infected systems, including:
- Adding entries to the Windows registry run key
- Creating scheduled tasks to execute the malware regularly
- Disguising itself as legitimate software such as Discord, Skype, or Windows Update
The malware conducts initial reconnaissance on the infected system, collecting vital information such as the operating system version, user privileges, antivirus status, and hardware details. This data is then relayed to the command and control (C2) server, enabling attackers to customize their approach for each victim.
LodaRAT’s capabilities have expanded significantly since its inception, with key features of the latest version including:
- Downloading and executing additional payloads
- Remote command execution
- Mouse and keyboard control
- Screen capture and webcam access
- Browser credential and cookie theft
- Windows Firewall manipulation
- File enumeration and exfiltration
- Audio recording via microphone
- Local user account creation
The ongoing evolution and widespread distribution of LodaRAT highlight the enduring threat posed by established malware families. Despite being in circulation for nearly eight years, LodaRAT remains a potent tool for cybercriminals, capable of inflicting substantial financial and data security damage to both organizations and individuals.
To mitigate the risk of LodaRAT infections, users and organizations are advised to:
- Keep all software and operating systems up-to-date
- Implement robust email filtering and anti-phishing measures
- Utilize reputable antivirus and endpoint detection solutions
- Educate employees about the risks of opening suspicious attachments or links
- Regularly back up important data and store backups offline
- Monitor systems for unusual activity or unauthorized access attempts
As LodaRAT continues to evolve and proliferate, maintaining vigilance and adopting strong cybersecurity practices remain essential in defending against this persistent threat.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.
