A previously known Windows remote access Trojan (RAT) with credential theft capabilities has now expanded its scope to set its sights on users of Android devices to promote the attacker’s espionage incentives.
“LodaRAT developers have added Android as a targeted platform,” Cisco Talos researchers said in an analysis Tuesday. “A new iteration of LodaRAT for Windows has been identified with enhanced audio recording capabilities.”
Kasablanca, the group behind the malicious software, is said to have used the new RAT in an ongoing hybrid campaign targeting Bangladeshi consumers, the researchers noted.
The reason why organizations from Bangladesh have been praised specifically for this campaign remains unclear, as is the identity of the threat actor.
First documented in May 2017 by Proofpoint, Loda is an AutoIt malware typically delivered through phishing broadcasts equipped to run a wide range of commands designed to record audio, video, and capture other sensitive information, with recent variations aimed at stealing passwords and cookies from browsers.
The latest versions – called Loda4Android and Loda4Windows – are very similar in that they come with a full set of data collection features that are synonymous with a stalker application. However, the malicious Android software is also different, as it particularly avoids techniques commonly used by Trojans banking, such as abusing Accessibility APIs to record on-screen activities.
Apart from sharing the same command and control (C2) infrastructure for Android and Windows, the attacks, which began in October 2020, have targeted banks and vendors of carrier-grade voice-over-IP software, with clues in point to the malicious software writer. be located in Morocco.
The attackers also carried out a myriad of social engineering tricks, ranging from typo squat zones to malicious RTF documents embedded in emails, which prompted an infection chain, when opened, that triggers a memory corruption vulnerability in Microsoft Office (CVE-2017-11882) to download the final payload.
While the Android version of the malicious software can take photos and screenshots, read SMS and call logs, send SMS and perform calls to specific numbers, and intercept SMS messages or phone calls, its latest Windows counterpart comes with new commands that enable remote access to the target machine via Remote Desktop Protocol (RDP) and an “Audio” command that uses the BASS audio library to capture audio from a connected microphone.
“The fact that the threat group has evolved into hybrid campaigns targeting Windows and Android shows a thriving and evolving group,” said researchers with Cisco Talos.
“Alongside these improvements, the threat actor has now focused on specific targets, identifying more mature operational capabilities. As is the case with earlier versions of Loda, both versions of this new iteration are serious threat, because they can lead to significant threat. data breach or severe financial loss. “