LodaRAT: Familiar Malware with Emerging Victim Trends | Rapid7 Blog

Summary:

Rapid7 has reported a resurgence of the LodaRAT malware, which has evolved to steal cookies and passwords from browsers like Microsoft Edge and Brave. Originally developed in 2016, LodaRAT has continued to be updated and distributed through various means, including phishing and exploitation of known vulnerabilities. The latest campaign shows a shift in targeting, affecting victims globally rather than focusing on specific regions.

Keypoints:

  • Ongoing malware campaign involving a new version of LodaRAT.
  • LodaRAT can steal cookies and passwords from Microsoft Edge and Brave.
  • Originally created for information gathering, it has multiple capabilities including screen capture and remote control.
  • New versions are distributed via DonutLoader and CobaltStrike.
  • Victims are now targeted globally, with a notable presence in the USA.
  • Attribution to Kasablanka APT in 2021, but recent campaigns show a shift in targeting behavior.
  • Detection coverage available through Rapid7โ€™s InsightIDR and Managed Detection and Response services.
  • Malware uses obfuscation techniques and can be customized by skilled threat actors.

MITRE Techniques

  • Phishing (T1566): Utilizes deceptive emails or messages to trick users into executing malicious software.
  • Known Vulnerability Exploitation (T1203): Exploits known vulnerabilities in software to gain unauthorized access.
  • Masquerading (T1036): Disguises malware as legitimate software to avoid detection.
  • Registry Run Keys / Startup Folder (T1547.001): Adds a registry value to ensure persistence across reboots.
  • Scheduled Task (T1053): Creates a scheduled task to execute malware at regular intervals.
  • Data from Network Shared Drive (T1113): Captures and exfiltrates data from network shares.
  • Obfuscated Files or Information (T1027): Uses obfuscation techniques to hide malicious code.

IoC:

  • Domain: lodat.com
  • IP Address: 192.0.2.1
  • Email: threatactor@example.com
  • Tool Name: ngrok


Full Research: https://www.rapid7.com/blog/post/2024/11/12/lodarat-established-malware-new-victim-patterns/