Cisco Talos discusses new LodaRAT variants (including a VenomRAT-derived S500 drop) observed in 2022, their how-it-works changes, and how LodaRAT appears alongside RedLine and Neshta in attack chains. The post highlights C2 beacon changes, added removal-to-drive propagation, anti-malware evasion, and new encoding techniques that fuel broader proliferation. #LodaRAT #S500 #RedLine #Neshta #Kasablanka #VenomRAT
Keypoints
- LodaRAT variants were deployed alongside RedLine and Neshta, with a newer VenomRAT variant named S500 observed dropping LodaRAT.
- C2 beacon changes include removing embedded version numbers and using the infected host’s IP address; variants also introduce Windows 11 host detection.
- Anti-malware detection logic was rewritten in at least one variant to search for 30 different AV process names, indicating evasion and analysis-machine targeting.
- Code removal and dead functions (e.g., a non-functional SQLite3 DLL downloader) reduce size and potentially detection, while some variants retain non-functional elements for compatibility.
- LodaRAT now includes a function to infect attached removable storage by automatically enumerating drives and copying itself to each one.
- String obfuscation has evolved: a new encoding/decoding approach appeared, replacing (or supplementing) older XOR-based methods to speed decoding.
- The S500 variant was dropped by VenomRAT, leaked publicly, and heavily copied VenomRAT’s structure, with Ge’ez-script naming seen in obfuscated components; it’s capable of dropping LodaRAT and is likely to be reused by adversaries.
MITRE Techniques
- [T1071] Command and Control – C2 beacons oscillate between versioned beacons and IP-based beacons; “the version numbers have been removed entirely from the C2 beacons and are replaced with the IP address of the infected host.” and likely unencrypted C2 communications to enable custom C2 infrastructure.
- [T1027] Obfuscated/Compressed Files and Information – LodaRAT uses function obfuscation and string encoding, with newer variants introducing a different string encoding/decoding method to speed execution. “LodaRATs C2 communications are not encrypted” and “string encoding” changes.
- [T1562.001] Impair Defenses – Anti-malware software detection rewritten to search for 30 different AV process names (and previously used WMI to enumerate AV processes), indicating evasion efforts. “the function searches for thirty different process names” and “WMI query to enumerate all AV processes.”
- [T1091] Replication Through Removable Media – Infecting attached storage by automatically enumerating connected removable drives and copying files to each. “copies LodaRAT’s files onto every mounted removable storage device.”
- [T1082] System Information Discovery – Windows 11 host detection capability; “Windows 11 detection function” indicating target OS discovery prior to reporting back to C2.
- [T1555.003] Credentials from Web Browsers – Browser data exfiltration potential as S500 can copy user profiles from the victim’s browser to attacker-controlled environments. “its ability to copy user profiles from the victim’s browser over to an attacker-controlled hidden browser.”
- [T1059] Command and Scripting Interpreter – LodaRAT is written in AutoIt, a scripting language; “LodaRAT is written in AutoIt, a well known scripting language…”
Indicators of Compromise
- [SHA256] File Hashes – ac3c94d88bcd4833d6fc5ffde7379f90a8915863567990572f2fa0d7fe83d0da, e6bf1b38f9d4b2a2aeb00dc4c12dd22eff26c318665687b4653fe8269d39d878 and 3 more hashes
- [Domains] – catkiller7767-64721.portmap.io, judithabusufaitdyg.duckdns.org
- [IPs] – 193.161.193.99, 34.174.95.150:54865
Read more: https://blog.talosintelligence.com/get-a-loda-this/