Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Loda

94
Global rank
60 infographic chevron month
Month rank
66 infographic chevron week
Week rank
0
IOCs

Loda is a remote access trojan (RAT) that has been in active use among multiple threat actors since 2016. The malware’s functionality includes stealing passwords and other sensitive information, keylogging, capturing screenshots, and delivering other malicious payloads. Loda is typically distributed as part of phishing email campaigns.

RAT
Type
Morocco
Origin
Unknown
First seen
17 January, 2025
Last seen

How to analyze Loda with ANY.RUN

RAT
Type
Morocco
Origin
Unknown
First seen
17 January, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Malware Trends Overview Report: 2024
watchers 4958
comments 0
post image
YARA Rules: Cyber Threat Detection Tool for M...
watchers 680
comments 0
post image
Threat Intelligence Pivoting: Actionable Insi...
watchers 557
comments 0

What is Loda RAT malware?

Loda is a remote access trojan that first appeared in 2016. It is written in AutoIT, a language designed for automating scripting on Windows systems, that is easy to learn and use. It is believed that the original creators behind Loda are the Kasablanka group, an advanced persistent threat (APT) from Morocco, which regularly published updated versions of the malware.

At the same time, the malware is also used by other threat actors, including YoroTrooper which has employed a variant of Loda malware to carry out assaults on various organizations around the world, with the most recent attacks occurring as early as 2023. TA558 is another APT that has implemented Loda in its malicious activities, primarily targeting hospitality businesses in Europe and North America.

Technical details of the Loda RAT malicious software

To make it difficult for security researchers to analyze its code, Loda RAT uses string obfuscation on most variables. At run time, Loda RAT deobfuscates the strings and initializes the variables accordingly. Another technique used by Loda RAT is function name randomization, involving randomly assigning names to functions in the code.

In order to evade detection, Loda replicates itself within the temporary files folder of the targeted computer and then executes the copy. Additionally, Loda RAT generates a scheduled task, which is configured to initiate itself automatically during system boot-up. After running, the malware reports key information about the system to its C&C server, including the IP address, OS version, and architecture.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

In terms of functionality, Loda possesses the standard set of RAT capabilities, which allow attackers to:

  • Access the infected computer via Remote Desktop Protocol (RDP).
  • Steal files and data.
  • Upload other malicious software onto the system and run it.
  • Record users’ keystrokes and mouse clicks.
  • Listen to the microphone.
  • Take webcam photos and screenshots
  • Communicate with the victim via a chat window.
  • Query WMI to obtain a list of all the antivirus solutions that are installed on the host system.

There is also an Android version of Loda RAT. It functions as a tracking application that can capture victims’ whereabouts and record any audio-based communication originating from the user. Additionally, it possesses the ability to monitor SMS messages and even make calls without users’ knowledge.

Execution process of Loda RAT

A sample of Loda RAT executed in the ANY.RUN interactive sandbox exposes the malware’s malicious activities and IOCs.

It follows a straightforward execution process. Loda first drops executables into the %appdata%, Startup, and Temp directories, then creates a service via schtasks to gain persistence, executes a Visual Basic script, and finally connects to the C&C server.

Loda RAT process tree

Loda RAT process tree

Distribution methods of the Loda RAT malware

Phishing email campaigns are the most common attack vector used by threat actors to infect victims’ systems with Loda. Typically, such emails contain attachments of different formats, including PDFs, executables, and Microsoft Office documents, embedded with malicious code. Some of the early instances of Loda RAT infections were carried out by exploiting the CVE-2017-11882 and CVE-2017-0199 vulnerabilities.

As mentioned above, Loda RAT is popular among various criminal groups. For instance, in 2019, TA558 utilized PowerPoint attachments injected with macros to distribute both Loda and Revenge RAT, while in 2022, the group switched to container formats (e.g., RAR) and expanded their payload selection to include AsyncRAT. Similarly, in 2022, the Kasablanka APT devised a multi-stage attack targeting government agencies, which employed .iso email attachments to spread Loda and WarZone RAT.

Conclusion

Loda remains a top cyber security threat, with no signs of slowing down. A large number of criminal actors take advantage of this malware’s configurable design and accessibility to conduct attacks against businesses and government organizations in different parts of the world. The best way to avoid compromising your system by accidentally downloading Loda is to steer clear of any unsolicited emails and take precautions before opening suspicious links and files. You can do it by analyzing them in an online sandbox like ANY.RUN. By uploading your sample to the platform, you quickly and safely gain the knowledge needed to prevent infection.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More