In 2019 and 2020 alone, cybercriminals have exploited a locked-down society to the fullest, with attack vectors ranging from; ransomware, cryptojacking, phishing, DDoS attacks, and other severe breaches. The scope of such attacks is to this day affecting everyone from the unsuspecting citizen to the highly secure computer systems of governments and cybersecurity companies. Yet again cyberspace is faced with a worrying new malware ‘variant’. The latest current threat is an ongoing malware campaign involving a type of RAT malware, specifically a variation called the LodaRAT.
What Is a RAT?
A RAT is a type of malware defined as a “remote access Trojan” which runs an AutoIT script and targets Windows systems. The way a RAT functions when infecting a computer system is that it is downloaded unbeknownst to the user via a file or application. Following this, the RAT executes full control over the victim’s computer using a ‘backdoor’. Once the RAT enters the system, it can then continue to infect other computers on the network in the same way and connect them into a ‘botnet’ -essentially establishing an army of infected computers controlled by a host. In this ongoing malware campaign, the particular type of RAT in question is a variant named the LodaRAT. This variant has the ability to access and record the microphone and web camera of the targeted device. Furthermore, this specific malware will ‘unpack’ itself quietly to the ‘AppData’ directory, which is a deep system folder. The LodaRAT is not a new occurrence, as it was discovered in September 2016 and is essentially an updated version of an older generation Nymeria Trojan. The malware has extensive capabilities when it comes to stealing credentials.
The LodaRAT Malware Campaign
The LodaRAT was previously known to infect Windows-based systems by exploiting remote access. In this case, the LodaRAT has been updated to attack Android devices. According to a Twitter post from researchers at Cisco Talos on Tuesday, “There is a new version of #LodaRAT that now targets Android devices”. The tool that targets Android devices, named ‘Loda4Android’, functions in much the same way as the windows variant. The ‘threat actor’ behind the malware is known as ‘Kasablanca’. According to the latest information, both the previous generation of the malware, as well as the updated LodaRAT were identified in a malware campaign that focused on Bangladesh. The key difference is that the attacks are now tweaked for espionage, rather than purely for breaching accounts for financial gains. Additional information from Talos reveals that the espionage malware has targeted Bangladesh-based voice-over-IP software and banks. Further details reveal that phishing emails that would act as a trap were sent to the victims. Once the victim clicked the link, the email would direct them to either an infected application or document. Once the victim’s computer is infected, researchers stated that calls, access to the call log, contact list, and SMS access are exploited. Researchers with Cisco Talos stated on Tuesday that “The fact that the threat group has evolved into hybrid campaigns targeting Windows and Android shows a group that is thriving and evolving”. Researchers added that this is a “serious threat” and can result in “significant data breach or heavy financial loss”.
Further Implications
Talos is currently monitoring the ongoing malware campaign, checking for any changes or modifications. They have also remarked that there have indeed been many changes and that “the authors are learning new techniques to improve the effectiveness of Loda”. They added that all of this points to the fact that the RAT malware is going to be much more dangerous and sophisticated in the future. It is uncertain whether this malware campaign will spread out beyond Bangladesh. It is with definite certainty that malware is evolving; the techniques, as well as delivery, are changing and the severity and breadth of attacks are increasing every day.