The Loda Trojan is a newly discovered dangerous Trojan that infects computers and can inject itself deep into the system. It contains advanced functionality which allows hackers to easily take over control of the machines. Our removal guide features a detailed explanation of the Trojan’s mechanisms of operation, as well as instructions on restoring the infected computers from the infections.
|Type||Trojan Horse Virus|
|Short Description||Silently infects the target machines and modifies key applications and system services.|
|Symptoms||The user may not experience any signs of infiltration.|
|Distribution Method||Malicious web links, Malicious Files, Malicious E-Mails|
|Detection Tool|| See If Your System Has Been Affected by Loda Trojan
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Loda Trojan.|
Loda Trojan Overview
This is a revamped version of a previous generation malware called the Nymeria Trojan. Loda Trojan was one of the alternative names under which Nymeria was known however the recent update brings forth a lot of newer functionality and changes in the sequence. The virus has changed a lot and security researchers have observed a new attack campaign. This iteration of the Loda Trojan is written in AutoIT — a popular scripting language used for setting up scheduled tasks and running commands.
At this time the Loda Trojan is mainly distributed via infected office documents — they can be text documents, presentations, databases and spreadsheets or XML files. When opened by the victim users the built-in scripts will load another document (possibly from a remote host) which will contain an exploit. This will trigger the actual infection. In the current campaign the target countries are The United States, Argentina, Brazil and Costa Rica.
Loda Trojan Capabilities
The recent versions of this Trojan are rated as dangerous due to the low detection ratio — the malware engine uses several obfuscation techniques at one. They have been placed in order to hide the virus from any security services and user-installed applications. One of the distinct ways through which this is done is the multiple step-by-step infection sequence. The victim users need only to launch a single macro-infected document to engage the complex chain of commans that will ultimately lead to the Loda Trojan installation.
The second document which will actually deploy the virus will attempt to exploit a vulnerability tracked in the CVE-2017-11882 advisory. This is an issue that is found within most of the unpatched contemporary versions of the Microsoft Office suite. The insecure installations will allow remote attackers to execute code by taking advantage of the way the application handles memory — an issue that is also known as a Memory Corruption Vulnerability.
As soon as the Loda Trojan starts on a given host it will immediately unpack itself to the AppData directory of the local user thus making hard to detect. An unique identifier will be generated for each individual host — this will prevent discovery by ordinary black lists.
One oft the first actions which are run after the infection is started is to gather sensitive data from the contaminated machines. There are two categories of information which are hijacked:
- Personal User Information — They will gather all data that may or may not include personal information about the victim users. This is commonly used to construct a profile allowing the hackers to conduct further crimes such as identity theft and financial abuse.
- Machine Information — This includes detailed information about the installed hardware parts and the software configuration. Specific data includes operating system version information, the used architectures and the active usernames.
The Loda Trojan is also installed as a persistent infection — it will be launched every time the computer is powered on. This is done by adding in the necessary Windows Registry keys and a scheduled task as set in the operating system. The new version of the Loda Trojan now includes the ability to read thte contents of the main Filezilla FTP application if it is installed on the victim machine. This will allow the hackers to steal the credentials in the saved servers list. The security analysis also shows that it will run a command called QURAN which will stream music from a remote server. This is done via Windows Media Player using the MMS protocol which is no longer used.
We anticipate that other common functionality will also be included in the forthcoming and ongoing attacks — the ability to take over control of the contaminated hosts using a remote desktop function. This will allow the hackers to spy on the actions of the users, hijack their files and manipulate the user input.
There are several alternative signature names under which the Loda Trojan may also be detected:
Remove Loda Effectively from Windows
In order to fully get rid of this Trojan, we advise you to follow the removal instructions underneath this article. They are made so that they help you to isolate and then delete the Loda Trojan either manually or automatically. If manual removal represents difficulty for you, experts always advise to perform the removal automatically by running an anti-malware scan via specific software on your PC. Such anti-malware program aims to make sure that the Loda is fully gone and your Windows OS stays safe against any future malware infections.