Man
Professional
- Messages
- 3,006
- Reaction score
- 531
- Points
- 113
Why does the malware remain so dangerous even 8 years after its creation?
Specialists from Rapid7 have recorded the activity of an updated version of the LodaRAT malware, which remains a threat to users even 8 years after its appearance. This malware, developed on AutoIt and first spotted in 2016, is now capable of stealing cookies and passwords from Microsoft Edge and Brave browsers.
Initially, LodaRAT was used to collect information, but over time, its functionality has expanded significantly. It can now capture screen images, control the victim's camera and mouse, deliver additional malware, and even spread to infected systems. Despite the long period without updates, the developers made only minor improvements in 2024, leaving the main modules unchanged.
Experts note that LodaRAT was previously distributed through phishing and exploitation of vulnerabilities, but now the attackers are using new delivery methods - through the DonutLoader and CobaltStrike loaders. Notably, the new samples are disguised as legitimate programs such as Discord and Skype.
The 2024 cyber campaign differs from the previous ones in that the attacks are not limited to individual regions — infected systems have been found all over the world. Approximately 30% of the malware samples were downloaded from the United States. Previously, the LodaRAT was associated with the Kasablanka group, but the new campaign demonstrates a modified strategy of the attackers.
Rapid7 has discovered a leak of the LodaRAT source code on GitHub, allowing other hackers to modify it to suit their needs. The malware uses string hiding and a UPX packer to bypass antiviruses, and also saves data in hidden folders on victims' systems. Attackers also use TCP connections to transmit data and control infected devices.
The LodaRAT is capable of executing arbitrary commands on a remote system, downloading and running additional software, accessing the microphone and camera, and controlling the Windows Firewall. The source code of the malware is easily modified, which allows attackers to quickly adapt the program to new targets.
Despite its age, LodaRAT remains a serious threat due to its adaptability and wide functionality, which proves that even old malware can remain effective if due attention is not paid to cybersecurity.
Source
Specialists from Rapid7 have recorded the activity of an updated version of the LodaRAT malware, which remains a threat to users even 8 years after its appearance. This malware, developed on AutoIt and first spotted in 2016, is now capable of stealing cookies and passwords from Microsoft Edge and Brave browsers.
Initially, LodaRAT was used to collect information, but over time, its functionality has expanded significantly. It can now capture screen images, control the victim's camera and mouse, deliver additional malware, and even spread to infected systems. Despite the long period without updates, the developers made only minor improvements in 2024, leaving the main modules unchanged.
Experts note that LodaRAT was previously distributed through phishing and exploitation of vulnerabilities, but now the attackers are using new delivery methods - through the DonutLoader and CobaltStrike loaders. Notably, the new samples are disguised as legitimate programs such as Discord and Skype.
The 2024 cyber campaign differs from the previous ones in that the attacks are not limited to individual regions — infected systems have been found all over the world. Approximately 30% of the malware samples were downloaded from the United States. Previously, the LodaRAT was associated with the Kasablanka group, but the new campaign demonstrates a modified strategy of the attackers.
Rapid7 has discovered a leak of the LodaRAT source code on GitHub, allowing other hackers to modify it to suit their needs. The malware uses string hiding and a UPX packer to bypass antiviruses, and also saves data in hidden folders on victims' systems. Attackers also use TCP connections to transmit data and control infected devices.
The LodaRAT is capable of executing arbitrary commands on a remote system, downloading and running additional software, accessing the microphone and camera, and controlling the Windows Firewall. The source code of the malware is easily modified, which allows attackers to quickly adapt the program to new targets.
Despite its age, LodaRAT remains a serious threat due to its adaptability and wide functionality, which proves that even old malware can remain effective if due attention is not paid to cybersecurity.
Source
