Lauda (Loda) RAT

Lauda RAT is a RAT (Remote Access Trojan) that has been working as malware analysts in recent years and was first spotted back in 2017. The Lauda RAT is a simple RAT, but that does not mean that it cannot work. This trojan is written in the AutoIT programming language, which is not uncommon. Once the LODA RAT compromises a system, it is able to perform a long list of tasks.

Loda RAT appears to primarily target users in the United States, Central America, and South America. The creators of Loda RAT are promoting it through fake emails that link users to a link that will launch a fake page that relates to the attackers. This page hosts various macro-laced documents that are designed to target a known vulnerability – CVE-2017-11882. Upon infecting the target computer, Loda RAT will establish a connection with its operators’ C&C (Command and Control) server.

The abilities

Once the Loda RAT is successfully connected to the C&C server, it will wait for commands from the attackers. Lauda can collect information such as RAT password and login credentials. In addition to collecting login credentials, Loda RAT can also:

  • Take screenshots of the user’s desktop and active window.
  • Launch a keylogger that will collect keystrokes.
  • Use the victim’s microphone to record audio.

Recently, the creators of Loda RAT have updated this trojan to include several self-preservation features. Loda RAT code has been circumvented to avoid detection by anti-malware tools. Code bottlenecks make it even more difficult for cyber security researchers to study threats. Lauda can also scan processes running on the RAT compromised system and detect whether an anti-virus application is running. Loda RAT persistence on compromised computers using two common tricks:

  • It uses the Windows Task Scheduler to ensure that its components will start with Windows.
  • It inserts a new Autorun Windows registry key that commands Windows to execute Loda RAT at launch.