In-Depth Analysis of the Phishing-Based Initial Access and Lateral Movement of the LodaRAT Campaign

Daniel Osei — SOC Lead & Malware Analyst

Key Takeaways

• Phishing remains a prevalent initial access vector with the LodaRAT deployment.
• Lateral movement is achieved via Windows Management Instrumentation (WMI) and leveraging Mimikatz for credential theft.
• Maintaining persistence through registry modifications and custom services enables long-term operations within victim networks.

Executive Summary

In the course of our investigation, we analyzed a sample associated with the recent LodaRAT campaign. This malware is delivered via phishing emails that contain malicious attachments or links that lead to a payload download. Our analysis revealed a sophisticated and multi-stage infection process, leveraging various tactics to maintain foothold and persist within compromised environments. The actor behind this campaign demonstrated extensive knowledge of evasion techniques and network operations typically associated with cybercriminal organizations.

Initial Access

Initial access was observed following the distribution of phishing emails targeting various organizations. The email contained an .zip attachment that, when extracted, revealed a .vbs script. This script was designed to download the LodaRAT payload from a remote server. The downloaded executable, once executed on the victim’s machine, established a connection back to its command and control (C2) server. During our review of the email headers, we detected various indicators of compromise (IOCs) that aligned with prior reported phishing campaigns.

Execution & Persistence

Upon executing the LodaRAT payload, we observed it performed initial checks for system environment details to evade detection. The sample implemented a variety of anti-analysis techniques, such as detecting virtual machines and sandbox environments. For persistence, it modified the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LodaRAT to ensure that it launched on system startup. Additionally, the malware created a service named LodaService to safeguard its continuity and disguise its footprint within the system.

Command and Control

Our analysis identified the C2 infrastructure associated with the LodaRAT. The payload communicated over HTTP with randomized domain generation to obfuscate its real command and control server addresses. The actor utilized a dynamic DNS service, allowing rapid changes to the destination through DNS updates. The C2 traffic typically included encrypted communications, which served to obscure the commands received from the C2 server. Regular beaconing was noted, facilitating command retrieval every few minutes, which underscores the implant’s focus on stealth and long-term access.

Lateral Movement & Discovery

During the analysis of the infected environment, we detected attempts by LodaRAT to perform lateral movement across the network utilizing WMI. This technique allowed the actor to query remote systems and trigger payload execution without the necessity for direct access. We also found clear indications of Mimikatz being executed shortly after initial access was achieved, indicating a focus on credential harvesting. Credential dumping facilitated unauthorized access to additional machines, which revealed a broader scope of lateral movement across the environment.

Impact & Objectives

The primary objectives of the LodaRAT campaign appeared to be data exfiltration and network reconnaissance. Various tools embedded within the implant enabled the actor to gather sensitive information from local systems, including files, credentials, and configuration data of other applications. The impact on the victim organization is likely to be severe, involving not just data loss but also potential repercussions concerning compliance and reputational damage.

MITRE ATT&CK Mapping

• T1071.001 – Application Layer Protocol: Web Protocols: Usage of HTTP for command and control communication.
• T1059.001 – Command and Scripting Interpreter: PowerShell: Utilization of VBS script for initial exploitation.
• T1086 – PowerShell: Use of PowerShell for executing commands on target systems.
• T1003.001 – Credential Dumping: LSASS Memory: Use of Mimikatz for credential extraction.

Detection Opportunities

• Monitor for suspicious email attachments that contain .vbs or .scr file types.
• Deploy endpoint detection and response (EDR) solutions capable of flagging registry changes under the Run key pertaining to established persistence methods.
• Analyze outbound HTTP traffic patterns for anomalies associated with known malicious domains or dynamic DNS services.

Analyst Notes

Throughout this investigation, the LodaRAT campaign highlighted the persistent nature of phishing as a preliminary attack vector. Cyber hygiene practices such as user training on email phishing tactics combined with robust email filtering and threat detection solutions are critical in strengthening defenses against such malware. Continuous monitoring for registry changes and unusual authentication attempts is tantamount to identifying and mitigating the impact of similar campaigns in the future.

Source: Original Report