Android Devices Hunted by LodaRAT Windows Malware

by | Feb 11, 2021

lodarat windows android

Post Views: 491

style="display:block" data-ad-client="ca-pub-6620833063853657" data-ad-slot="8337846400" data-ad-format="auto" data-full-width-responsive="true">
 
 
 

 

 

Reading Time: 2 Minutes

 

 

The LodaRAT – known for targeting Windows devices – has been discovered also targeting Android devices in a new espionage campaign.

 

 

 
 
  

 

A newly discovered variant of the LodaRAT malware, which has historically targeted Windows devices, is being distributed in an ongoing campaign that now also hunts down Android devices and spies on victims.

Along with this, an updated version of LodaRAT for Windows has also been identified; both versions were seen in a recent campaign targeting Bangladesh, researchers said.

The campaign reflects an overarching shift in strategy for LodaRAT’s developers, as the attack appears to be driven by espionage rather than its previous financial goals. While previous versions of LodaRAT contained credential-stealing capabilities that researchers speculated were used for draining victims’ bank accounts, these newer versions come with a full roundup of information-gathering commands.

 

 
See Also: Microsoft warns enterprises of new ‘dependency confusion’ attack technique

 

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

 

“The fact that the threat group has evolved into hybrid campaigns targeting Windows and Android shows a group that is thriving and evolving,” said researchers with Cisco Talos, on Tuesday. “Along with these improvements, the threat actor has now focused on specific targets, indicating more mature operational capabilities. As is the case with earlier versions of Loda, both versions of this new iteration pose a serious threat, as they can lead to a significant data breach or heavy financial loss.”

 

What is the LodaRAT Malware?

 

LodaRATfirst discovered in September 2016, is a remote access trojan (RAT) that comes with a variety of capabilities for spying on victims, such as recording the microphones and webcams of victims’ devices. The name “Loda” is derived from a directory to which the malware author chose to write keylogger logs.

Since its discovery in 2016 the RAT has proliferated, with multiple new versions being spotted in the wild as recently as September. The RAT, which is written in AutoIT, appears to be distributed by multiple cybercrime groups that have been using it to target numerous verticals.

 

Recent LodaRAT Cyberattack in Bangladesh

 

Researchers observed a campaign involving LodaRAT that began in October and is still active. The attackers appear to have a specific interest in Bangladesh-based organizations, including banks and carrier-grade voice-over-IP (VoIP) software vendors.

Vitor Ventura, Cisco Talos’ technical lead and senior security researcher, told Threatpost that the initial attack vectors for the campaign involved emails sent to victims with links to malicious applications (involving both the Windows and Android versions) or malicious documents (involving just the Windows version).


See Also: Offensive Security Tool: JTR – John the Ripper

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

The research team said they put this discovery to the test by searching for situations where big tech firms accidentally leaked the names of various internal libraries and then registered those same libraries on package repositories like npm, RubyGems, and PyPI.

Using this method, researchers said they successfully loaded their (non-malicious) code inside apps used by 35 major tech firms, including the likes of Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Uber, and others.

But besides npm, RubyGems, and PyPI, other package managers are also vulnerable, researchers said, including the likes of JFrog, Maven Central, and NuGet.

 

MICROSOFT URGES COMPANIES TO ANALYZE INTERNAL PACKAGE REPOS

 

While the research team said it notified all the affected companies and package repositories, Microsoft appears to have understood the severity of this issue more than the others.

After the research team’s work went public on Tuesday, the OS maker, which also runs the NuGet package manager for .NET developers, has published a white paper 

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

See Also:SolarWinds Supply Chain Hack – The hack that shone a light on the gaps in the cybersecurity of governments and big companies

 

“The campaign uncovered targeting Bangladesh used different levels of lures, from type squatted domains, to file names directly linked to products or services of their victims,” said researchers.

For the Windows-targeting maldoc attack, after the victim clicked on the malicious documents, attackers used a malicious RTF document, which exploits CVE-2017-11882 (a remote code-execution vulnerability existing in Microsoft Office) in order to then download LodaRAT.

 

LodaRAT’s New Android Variant

 

The Android version of the LodaRAT malware, which researchers call “Loda4Android,” is “relatively simple when compared to other Android malware,” said researchers. For instance, the RAT has specifically avoided techniques often used by Android banking trojans, such as leveraging the Accessibility APIs, in order to steal data.

The underlying command-and-control (C2) protocol follows the same design pattern as the Windows version, said researchers – suggesting that the C2 code will be able to handle both versions.

Also, Loda4Android has “all the components of a stalker application” said researchers. The malware collects location data and records audio, and can take photos and screenshots.

“It can record audio calls, but it will only record what the victim says but not what the counterpart says,” said researchers. “The common SMS, call log and contact exfiltration functionalities are also present. It is interesting to note that it’s not capable of intercepting the SMS or the calls, like it’s usually seen in banker trojans.”

 

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

 

Fresh Windows Loda Version

 

The new version of the LodaRAT that targets Windows systems is version 1.1.8. While it’s mostly the same as previous versions, new commands have been added that extend its capabilities.

For one, the version comes with new commands that give the threat actor remote access to the target machine via the Remote Desktop Protocol (RDP). The new version can now leverage the BASS audio library to capture audio from a connected microphone. BASS is used in Win32, macOS, Linux and PocketPC software to provide streaming and recording functions for music.

“This new command is an improvement on the previous ‘Sound’ command which used Windows’ built in Sound Recorder,” said researchers. “The reason for abandoning the previous method is likely because Windows Sound Recorder can only record audio for a maximum of 60 seconds. The new method allows for any length of recording time specified by the threat actor.”

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

Source: https://threatpost.com

 

 

 
(Click Link)

 

 

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This