Delaware, USA – February 14, 2020 – The Loda Remote Access Trojan was recently significantly improved by the authors and is actively used in a campaign targeting the Americas. The trojan appeared in 2016, and it is capable of keylogging, stealing system and user information, taking screenshots, starting and killing processes, and installing other malicious tools. An updated version of Loda trojan was spotted by Cisco Talos researchers at the end of last year, and since then, attackers have been using it in the campaign targeting countries in South America and Central America, as well as the U.S. The malware authors improved trojan’s stealth capabilities and added new mechanisms to achieve persistence on the infected systems. Refreshed Loda performs WMI queries to check what antimalware solutions are installed and steals credentials and IP addresses used by Filezilla servers.
Adversaries send phishing emails with malicious documents that contain an OOXML relationship to download the RTF file. the downloaded document contains a payload within an obfuscated OLE object which is then executed by exploiting CVE-2017-11882 vulnerability. “For persistence, the new version now adds both a registry key and a scheduled task,” researchers say. “One interesting functionality that persists through the versions of Loda is the command “QURAN”. This command streams music from “live.mp3quran[.]net:9976″ in Windows Media Player using the Microsoft Media Server (MMS) protocol. MMS is a deprecated Microsoft proprietary network streaming protocol used to stream media in Windows Media Player.” You can check the Scheduled Task technique in MITRE ATT&CK section to find community and exclusive rules that can help your security solution to spot this threat: https://tdm.socprime.com/att-ck/?T1053