Security experts have spotted a new malware campaign that uses a new version of Loda remote access trojan (RAT).
Cisco’s Talos security group observed over the past few months websites hosting a new version of Loda written in AutoIT. Loda was first discovered in 2017 and has been used for spying on victims.
According to Talos, the websites also host malicious documents to launch a multi-stage infection chain.
In a second stage, the document exploits CVE-2017-11882 in order to download and run a malicious MSI file (that contains Loda version 1.1.1).
In a blog post, Talos said the campaign is likely targeting the U.S. and countries in South America and Central America.
Talos added there multiple changes in the latest version of Loda RAT.
“The obfuscation technique used within the AutoIT script changed to a different form of string encoding. Multiple persistence mechanisms have been employed to ensure Loda continues running on the infected host following reboots. Lastly, the new version leverages WMI to enumerate antivirus solutions running on the infected host,” Talos stated.
Readers may remember that Microsoft warned about a malware spam campaign that targeted this same Office vulnerability CVE-2017-11882 (Microsoft patched in 2017).
Also, this vulnerability was one of the “top 20” most attacked vulnerabilities, according to a Verint report last December.