Threat Research

LodaRAT: Emerging Victim Patterns in Established Malware

Rapid7

Rapid7 reports a renewed LodaRAT campaign that harvests cookies and passwords from browsers including Microsoft Edge and Brave, distributed via loaders like DonutLoader and Cobalt Strike. The Windows-focused analysis highlights persistence, screen capture, credential theft, and a shift from region-specific targeting to global infections. #LodaRAT #DonutLoader

Keypoints

  • New LodaRAT campaign observed, focusing on a refreshed Windows variant.
  • Malware steals browser cookies and credentials from Microsoft Edge and Brave.
  • Distribution now includes DonutLoader and Cobalt Strike loaders/beacons.
  • Persistence methods include registry run keys and scheduled tasks.
  • Capabilities include screen capture, webcam/microphone abuse, file exfiltration, and creating new local users.
  • Victimology has shifted from targeted regional espionage to a global spread.
  • Detections available via Rapid7 InsightIDR and Managed Detection and Response.

MITRE Techniques

  • [T1566] Phishing – Used historically in delivery. Quote: (‘Old versions of LodaRAT were using Phishing (T1566) and Known Vulnerability Exploitation (T1203) techniques in their delivery process.’)
  • [T1203] Exploitation of Known Vulnerability – Used historically to gain access. Quote: (‘Old versions of LodaRAT were using Phishing (T1566) and Known Vulnerability Exploitation (T1203) techniques in their delivery process.’)
  • [T1036] Masquerading – Samples impersonate legitimate apps to evade detection. Quote: (‘New LodaRAT samples masquerade (T1036) as well-known Windows software such as Discord, Skype, and Windows Update, amongst others.’)
  • [T1547.001] Registry Run Keys / Startup Folder – Adds registry values for persistence. Quote: (‘registry persistence by adding a new value under the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry key (T1547.001).’)
  • [T1053] Scheduled Task – Creates scheduled tasks to run malware periodically. Quote: (‘some LodaRAT samples instead created a new scheduled task that will execute a compiled AutoIt every minute (T1053)’)
  • [T1041] Exfiltration Over C2 Channel – Sends data via network connections to C2. Quote: (‘The malware will then start a TCP connection to the C2 server’)
  • [T1113] Screen Capture – Captures screenshots and saves them to disk. Quote: (‘…capture the victim’s screen, and save the capture in the mon folder (T1113).’)
  • [T1071] Command and Control – Maintains C2 communications over TCP. Quote: (‘The malware will then start a TCP connection to the C2 server’)
  • [T1210] Exploitation of Remote Services – Uses SMB-based lateral movement tools. Quote: (‘attempt to connect to an internal IP on port 445, after which it receives a tool from the C2 server’)
  • [T1098] Account Manipulation – Creates new local user accounts for persistence or access. Quote: (‘New local user creation’)
  • [T1564.001] Hide Artifacts – Sets folder attributes to System and Hidden to evade detection. Quote: (‘sets the mon directory attributes to System and Hidden to evade detection (T1564.001).’)

Indicators of Compromise

  • [Registry Keys] persistence and control – HKCUSoftwareMicrosoftWindowsCurrentVersionRun; HKCUSoftwareWin32data (and related Win32* keys used by the RAT)
  • [Folders] created or used under %AppData% – %AppData%Windata, %AppData%Windatamon, and the mon folder where screen captures are stored
  • [Filenames / Scripts] tooling and source – AutoIt_RAT.au3 (leaked GitHub source), lodarat_string_decryptor.py (Rapid7 deobfuscator)
  • [URLs] reference and IOC lists – https://github.com/rapid7/Rapid7-Labs/…/IOC’s.txt, https://blog.rapid7.com/2024/11/12/lodarat-established-malware-new-victim-patterns/

LodaRAT has resurfaced in a new Windows-focused campaign that specifically targets browser-stored cookies and credentials from browsers such as Microsoft Edge and Brave. Rapid7’s analysis shows the RAT still uses AutoIt-based samples, some string obfuscation, and occasional UPX packing, with updated distribution via DonutLoader and Cobalt Strike and evidence it’s co-located with other RATs like AsyncRAT and Remcos.

The malware supports multiple persistence methods (registry Run keys and scheduled tasks), establishes TCP-based C2 beacons that report system and AV status, and provides broad capabilities including screen capture, webcam/microphone use, remote command execution, file enumeration/exfiltration, credential theft, and local user creation. Rapid7 also published tools and IOCs—such as a string deobfuscator and a GitHub IOC repository—to assist defenders in identifying and mitigating infections.

Although LodaRAT’s core code appears largely unchanged since earlier versions, small functional tweaks (like browser cookie theft) and the use of modern loaders have allowed it to spread globally rather than focusing on specific countries, demonstrating that older toolsets can remain a significant threat when maintained and repackaged.

Read more: https://blog.rapid7.com/2024/11/12/lodarat-established-malware-new-victim-patterns/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint