| Category | Details |
|---|---|
| Threat Actors | Unknown, potentially a wide range of actors using LodaRAT, as the source code is publicly available and customizable. |
| Campaign Overview | An ongoing malware campaign using a new version of LodaRAT, a remote access tool (RAT) that has evolved over 8 years. This new version focuses on stealing cookies and passwords from Microsoft Edge and Brave. The malware is distributed through DonutLoader and CobaltStrike. |
| Target Regions (Victims) | Victims are worldwide, with about 30% of VirusTotal samples originating from the USA. |
| Methodology | - Distributed via trojanized software. - Uses phishing and known vulnerability exploitation in earlier versions; now uses DonutLoader and CobaltStrike. - LodaRAT masquerades as legitimate software (Discord, Skype, Windows Update). |
| Product Targeted | Microsoft Edge, Brave browsers (for cookie and password stealing), and general Windows systems for RAT operations. |
| Malware Reference | LodaRAT |
| Tools Used | - DonutLoader, CobaltStrike (for distribution) - ngrok reverse proxy utility, SMB lateral movement tools (for further infection) - AutoIt (RAT tool) |
| Vulnerabilities Exploited | Phishing, known vulnerability exploitation (T1203), masquerading as legitimate software (T1036). |
| TTPs | - Masquerading as legitimate software. - Establishing persistence via registry modification (T1547.001) or scheduled tasks (T1053). - Data exfiltration and screen capturing (T1113). - C2 communication for commands. |
| Attribution | Originally attributed to Kasablanka APT in 2021, but the 2024 campaign shows a shift in target scope, making attribution unclear. |
| Recommendations | - Use detection tools like Rapid7 InsightIDR for visibility. - Regularly update systems and security tools. - Be cautious of phishing attempts and fake software installers. - Ensure proper firewall configuration. |
| Source | Rapid7 |
Read full article: https://www.rapid7.com/blog/post/2024/11/12/lodarat-established-malware-new-victim-patterns/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply