According to researchers at Cisco Talos, there is a new iteration of LodaRAT identified with improved sound recording capabilities, deployed in an ongoing hybrid campaign targeting Bangladeshi users that started in October 2020. While the malware is typically delivered via phishing lures with capabilities to record audio, video, and even capture other sensitive data; the new variants aims at stealing users passwords via web cookies from browsers.
Along with the new LodaRAT for Android variant, there is an updated version of Loda for Windows identified in the same campaign.
What has changed in the New Variants of LodaRAT for both Windows and Android?
The latest variants, Loda4Android and Loda4Windows, are much related as they come with a set of data-gathering features which constitute an espionage application.
But, the Android varinat is a bit different from other such android malware, as it tends to avoid some common techniques employed by other such banking Trojans, such as the abusing of the Accessibility APIs to record on-screen activities of users. Albeit, the Android variant can take photos and screenshots, and also read and send SMS and even initiate calls to specific numbers, and intercept phone calls.
The latest Windows counterpart, on the other hand, comes with some new commands that enable it to remotely access the target machine via Remote Desktop Protocol (RDP) and commands that makes use of BASS audio library by capturing audio from connected microphones. And there are multiple commands in Loda which have been updated and some that are entirely new, with the most notable of the commands giving the threat actors remote access to target machine via RDP.
Also, the malware contains a command-and-script-running capability, which avails the malware flexibility to perform a range of tasks, like downloading any of the available Android exploits and obtain root access, or downloading a new APK and installing it.
How to Safeguard against such Android Banking Trojans
LodaRAT has diversifying its target platforms and it's continuously improving in capabilities. Along with these lines, the threat actor has focused on specific targets, and deploying a cross-platform malware with additional capabilities, which suggests they have their eyes on targeting larger organizations.
Therefore, it is recommended that Windows and android users should to be vigilant when clicking on or opening links received via email or SMS message. And also note that the attackers has made use of squatted domains to preserve some legitimacy, which made them to look familiar to the real domains to lure users in without noticing.