Cisco Talos: Loda RAT is back with new functions. In 1.1.1 version, the malware added a Powershell keylogger and a VB script

Loda RAT is back with new versions and it’s on the wild. It has been discovered by Cisco Talos cybersecurity experts. The overall functionality of the different versions is quite similar to one another, with some key differences. Furthermore, they have been used at the same, that could indicate that there are several cybercrime actors leveraging the malware. The most readily apparent change in these new iterations of Loda is the complete removal of any obfuscation. Typically, it utilizes a combination of string obfuscation and function name randomization. These techniques may have been abandoned since they no longer provide a significant reduction in AV detection. As for new functionality, the new version (labeled as 1.1.1) has implemented a PowerShell keylogger. Also a VB script has been added. It searches for the Loda AutoIt script by process name to ensure only one instance is running.

The cybersecurity experts: The 1.1.7 update of the malicious code removed Powershell and VB, focusing on stealing passwords and cookies from browsers. There are also two dead commands in each version

According the cybersecurity experts, the Loda version 1.1.7 has removed the PowerShell script and the VB script. Furthermore, it’s focused on stealing passwords and cookies from browsers. The malware first detects the OS version by using the AutoIt macro “@OSVERSION” and copies itself to either the Temp or startup directories depending on the version of Windows. After copying itself, it then executes the copy. Moreover, there are two functions that persist through all versions of Loda that are effectively useless. The first is the “QURAN” command. This command is intended to stream audio in Windows Media Player of a reading of the Quran on the infected host using the MMS protocol. The URL for this stream is “live.mp3quran[.]net:9976” which seems to no longer exist.  The second function is “__SQLITE_DOWNLOAD_SQLITE3DLL”, which attempts to download a SQLite3 DLL from a dead URL.