Remote Browser Isolation

Loda RAT is Back as a New Phishing Attack Type and “Better” Than Ever

A new variant of the Loda Remote Access Trojan (RAT) has been making the rounds. Loda first hit the malware scene in 2016 as a relatively simple malware threat. When it was first found, it spied on its victims via keylogging and by taking screenshots, and then exfiltrating data back to its creators. It didn’t make much of an impression, as far as emerging threats go, but it didn’t go entirely unnoticed either. It then lay low for a good few years. But, it has now resurfaced — with more sophisticated methods of obfuscation and new ways to persist by evading email filters.


Loda – New and Improved!

So, what does the new and improved Loda do and how does it work? It all starts with some very clever types of phishing. In fact, Loda is a textbook example of the new breed of different phishing attacks that are so well crafted they can easily trick spam filters and evade human notice.

Let’s take a close look at the new Loda and the sophisticated phishing campaign it leverages.

Targeting victims in the US and both South and Central America, Loda starts its nefarious chain of events by sending out phishing emails. Many of the emails pose as ads for Fidelity Insurance or a smattering of e-commerce brands. The glossy images look like they were created by a first-class design company; There’s not a spelling mistake in sight, nary a grammatical error to be found. The ads are as legit-looking as anything in your inbox right now. Other emails in the Loda campaign, which pose as e-commerce ads and Spanish travel-related documents, are just as convincing in both design and content.

In fact, there’s only one curious element about these emails. For all of the promotional content about amazing deals on insurance policies, there’s only one area of clickable text, which happens to be the Unsubscribe link. You can also click on the image itself, which will open the same URL as the Unsubscribe link.

If you do click on the unsubscribe link or the image, you will be prompted to download a file. Now this should set off warning bells—but since you (or someone not quite as savvy as you are) don’t suspect anything fishy, you might just ignore it and download the file. When that file is downloaded and opened, the file (Loda) downloads a second file that contains the CVE-2017-11882 vulnerability.

Known as a memory corruption vulnerability, this is a vulnerability “that allows an attacker to execute arbitrary code in RTF files without interaction,” according to the Rapid7 Vulnerability and Exploit Database. The code it executes, in turn, can download additional malware that enables hackers to gain full access to your computer. And with that, an attacker can easily make their way onto the corporate network and do untold damage.


Phishing Threats are Evolving

Loda is a classic example of the dangers of today’s advanced – and constantly advancing – phishing types. This souped-up variant of an old Trojan is proof that hackers are upping their game with the intention of overwhelming traditional protection methods. To illustrate, Loda can even perform WMI queries to detect when an anti-virus tool is installed on an endpoint. Moreover, hosting a malware-ridden RTF file in an unsubscribe link is a brilliant ploy, one that may fool even the most security-conscious users. What makes it even more powerful is the fact that the infected document contains an OOXML relationship that executes a second document that actually hosts the malware. These factors make it an especially stealthy threat that’s particularly difficult to detect by both the human eye and traditional security measures.

Loda is particularly troubling in that no amount of awareness training would be able to prevent users from clicking to “unsubscribe” from emails like this; it’s a perfectly logical thing to do. So, if awareness training cannot prevent phishing attack types like this, and it can easily bypass traditional malware detection tools, it’s clear that a different kind of solution is needed.


RBI Protects Users from Themselves

Ericom Shield’s Zero Trust Remote Browser Isolation (RBI) prevents all web-based threats from reaching your endpoints by rendering all web content, websites, web apps, and links in an isolated container which is disposed of at the end of the browsing session. All website content—good and bad—is isolated to ensure that nothing malicious can make its way though. Ericom Shield protects endpoints from web downloads and attachments as well. Its built-in content disarm and reconstruction (CDR) technology sanitizes downloads, disarming any malware they contain and reconstructing files as safe, fully-functional documents before delivering them to endpoints.

Remote browser isolation empowers users to interact with content in a natural way, yet remain completely protected from all malicious elements. With RBI, even if users do click on infected links in phishing emails, they cannot be harmed.


Loda is just one example of an older threat that’s adopting new and more dangerous tricks. Shield RBI is the answer to keeping your users secure in the face of these continuously advancing malware threats.


Nick Kael

Nick Kael

CTO | Ericom
A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.