Keypoints
- Rapid7 observed a resurgence of LodaRAT with new capabilities focused on credential and cookie theft.
- The latest LodaRAT variants specifically target Microsoft Edge and Brave to extract saved passwords and session cookies.
- The malware retains broad information-stealing functions (screen capture, remote control) and is highly customizable.
- Distribution methods include DonutLoader and Cobalt Strike, along with phishing and exploitation of known vulnerabilities.
- Targeting has shifted from regional focus to a global victim set, with notable activity in the United States.
- Earlier reporting linked LodaRAT to the Kasablanka APT in 2021, but recent campaigns show different targeting behavior.
- Detection and response coverage is available through Rapid7 InsightIDR and Managed Detection and Response services.
MITRE Techniques
- [T1566] Phishing – Used to trick recipients into executing malicious software. Quote: ‘Utilizes deceptive emails or messages to trick users into executing malicious software.’
- [T1203] Exploitation for Client Execution (Known Vulnerability Exploitation) – Exploits known software flaws to gain access. Quote: ‘Exploits known vulnerabilities in software to gain unauthorized access.’
- [T1036] Masquerading – Disguises malicious files or processes as legitimate to evade detection. Quote: ‘Disguises malware as legitimate software to avoid detection.’
- [T1547.001] Registry Run Keys / Startup Folder – Persists by adding registry values to run at startup. Quote: ‘Adds a registry value to ensure persistence across reboots.’
- [T1053] Scheduled Task – Creates scheduled tasks to execute malware at regular intervals. Quote: ‘Creates a scheduled task to execute malware at regular intervals.’
- [T1113] Data from Network Shared Drive – Collects and exfiltrates data from network shares. Quote: ‘Captures and exfiltrates data from network shares.’
- [T1027] Obfuscated Files or Information – Uses obfuscation to hide malicious code and hinder analysis. Quote: ‘Uses obfuscation techniques to hide malicious code.’
Indicators of Compromise
- [Domain] Campaign infrastructure – lodat.com
Rapid7 has documented a renewed LodaRAT campaign in which the long-running information-stealer has evolved to target modern browsers more effectively. Researchers observed new builds that can extract cookies and stored passwords from Microsoft Edge and Brave, expanding beyond older theft methods to harvest session data that can enable account hijacking. The malware, which first appeared in 2016 as an info-stealer, still retains a wide set of capabilities such as screen capture, remote control, and general data exfiltration, and it can be adapted or extended by skilled operators.
Distribution in the current wave commonly involves intermediary loaders and post-exploitation tooling. Rapid7 noted usage of DonutLoader and Cobalt Strike to deploy LodaRAT binaries, while initial access vectors include phishing messages and exploitation of known vulnerabilities. To maintain persistence and complicate detection, the threat employs techniques such as adding registry run keys, creating scheduled tasks, and obfuscating code. The campaign also targets data on network shares, indicating opportunistic lateral movement and broader data collection goals.
Targeting patterns have shifted: whereas past activity was linked to the Kasablanka APT in 2021, recent campaigns show a more global scope with a notable concentration of victims in the United States. Rapid7 underscores that LodaRAT remains modular and customizable, meaning its functionality and distribution methods can vary depending on who operates it. Analysts emphasize that the combination of loader frameworks, evasive packing/obfuscation, and credential theft against modern browsers makes these variants particularly concerning for organizations that rely on browser-stored authentication.
For defenders, Rapid7 provides detection coverage through InsightIDR and Managed Detection and Response offerings, and the published findings include indicators such as the domain lodat.com, the IP 192.0.2.1, an example threat actor email ([email protected]), and use of ngrok as an infrastructure tool. Network defenders should watch for signs of loader activity, unusual scheduled tasks or registry run keys, and exfiltration attempts from network shares or browser profile locations.
Read more: https://www.rapid7.com/blog/post/2024/11/12/lodarat-established-malware-new-victim-patterns/