BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Loda

71
Global rank
68 infographic chevron month
Month rank
59 infographic chevron week
Week rank
205
IOCs

Loda is a remote access trojan (RAT) that has been in active use among multiple threat actors since 2016. The malware’s functionality includes stealing passwords and other sensitive information, keylogging, capturing screenshots, and delivering other malicious payloads. Loda is typically distributed as part of phishing email campaigns.

Remote Access Trojan
Type
Morocco
Origin
Unknown
First seen
15 April, 2024
Last seen

How to analyze Loda with ANY.RUN

Remote Access Trojan
Type
Morocco
Origin
Unknown
First seen
15 April, 2024
Last seen

IOCs

Hashes
586a682892633fd451cf3caa26a00cf4caeb181c82cf33763e23cb94fa66b07f
f267d4626eb5f1534255113774dd31d750e6d980776e4d1816bcf6ec9d044f04
d348185dbd97a9340d9d8e67a21c35b478d656eaeabe42cbfadd0a4858a97b87
ad74d9c332ed85343e387804cd725eceec46c640e85dc1de7add9d7cc2d4824d
6e11928dc5aad0e4c4f5bd3fa1eb76edd32aaea5b7079c16a7e9d32565e783e4
a6720880569868d83756f6fc81c275b499d4717b994016f48903e24a812e4649
b3d6a93396daf2158742bb2fc83747d6787f0062951949ba58075fb2a70bdec6
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
0992913e053000129bfc8d429ea3f84a66b1bf29da3916590c6fbc00d4b30b66
8d4263b12ae83ca07541c5077b66dff28c40609183f15ca244fcea310fc23e43
63f4ebfe5db5df54e344ab783ed1d9bb6ddbc402075ec5ef7bb7754a0cc769b3
315ec8c44e394acc286220a431e82a1558d3febcaf9cfc59761dcb24fcf5070f
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
053f4d8ec5c79e12c0214a38475d2adf80eb66dd910b279bd8547996bbc1be02
390a251c6a443809a9794733ce43b5c3668a3a50a368cb873757adb0f00d3dc4
e308987e32532034c11bc49d2d17285c1a69e90a78453aea2a9543e4913347fe
d6e5b452d8ec8064d087de47696bae44d76a01b7c73850f19488195bfbcc62f5
f7c458b1c6fed88cd8e954054ed9cce13491157b758ce799e2860cd281fa03c2
06e4f7dd15101844a8217a69be6ea7bff88a88f02fa260eef7d760c1224cb942
7e9829b655829a6f3a194a95caa23efc3331426d4f5907e0e313b8a8b586c955
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 166
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 553
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 301
comments 0

What is Loda RAT malware?

Loda is a remote access trojan that first appeared in 2016. It is written in AutoIT, a language designed for automating scripting on Windows systems, that is easy to learn and use. It is believed that the original creators behind Loda are the Kasablanka group, an advanced persistent threat (APT) from Morocco, which regularly published updated versions of the malware.

At the same time, the malware is also used by other threat actors, including YoroTrooper which has employed a variant of Loda malware to carry out assaults on various organizations around the world, with the most recent attacks occurring as early as 2023. TA558 is another APT that has implemented Loda in its malicious activities, primarily targeting hospitality businesses in Europe and North America.

Technical details of the Loda RAT malicious software

To make it difficult for security researchers to analyze its code, Loda RAT uses string obfuscation on most variables. At run time, Loda RAT deobfuscates the strings and initializes the variables accordingly. Another technique used by Loda RAT is function name randomization, involving randomly assigning names to functions in the code.

In order to evade detection, Loda replicates itself within the temporary files folder of the targeted computer and then executes the copy. Additionally, Loda RAT generates a scheduled task, which is configured to initiate itself automatically during system boot-up. After running, the malware reports key information about the system to its C&C server, including the IP address, OS version, and architecture.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

In terms of functionality, Loda possesses the standard set of RAT capabilities, which allow attackers to:

  • Access the infected computer via Remote Desktop Protocol (RDP).
  • Steal files and data.
  • Upload other malicious software onto the system and run it.
  • Record users’ keystrokes and mouse clicks.
  • Listen to the microphone.
  • Take webcam photos and screenshots
  • Communicate with the victim via a chat window.
  • Query WMI to obtain a list of all the antivirus solutions that are installed on the host system.

There is also an Android version of Loda RAT. It functions as a tracking application that can capture victims’ whereabouts and record any audio-based communication originating from the user. Additionally, it possesses the ability to monitor SMS messages and even make calls without users’ knowledge.

Execution process of Loda RAT

A sample of Loda RAT executed in the ANY.RUN interactive sandbox exposes the malware’s malicious activities and IOCs.

It follows a straightforward execution process. Loda first drops executables into the %appdata%, Startup, and Temp directories, then creates a service via schtasks to gain persistence, executes a Visual Basic script, and finally connects to the C&C server.

Loda RAT process tree

Loda RAT process tree

Distribution methods of the Loda RAT malware

Phishing email campaigns are the most common attack vector used by threat actors to infect victims’ systems with Loda. Typically, such emails contain attachments of different formats, including PDFs, executables, and Microsoft Office documents, embedded with malicious code. Some of the early instances of Loda RAT infections were carried out by exploiting the CVE-2017-11882 and CVE-2017-0199 vulnerabilities.

As mentioned above, Loda RAT is popular among various criminal groups. For instance, in 2019, TA558 utilized PowerPoint attachments injected with macros to distribute both Loda and Revenge RAT, while in 2022, the group switched to container formats (e.g., RAR) and expanded their payload selection to include AsyncRAT. Similarly, in 2022, the Kasablanka APT devised a multi-stage attack targeting government agencies, which employed .iso email attachments to spread Loda and WarZone RAT.

Conclusion

Loda remains a top cyber security threat, with no signs of slowing down. A large number of criminal actors take advantage of this malware’s configurable design and accessibility to conduct attacks against businesses and government organizations in different parts of the world. The best way to avoid compromising your system by accidentally downloading Loda is to steer clear of any unsolicited emails and take precautions before opening suspicious links and files. You can do it by analyzing them in an online sandbox like ANY.RUN. By uploading your sample to the platform, you quickly and safely gain the knowledge needed to prevent infection.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy