In July 2024, researchers discovered a previously unknown backdoor, which they have dubbed Loki. After a thorough analysis of the Loki malware files, they determined that it was actually a private version of an agent for the open-source red teaming Mythic framework.
Loki Backdoor and Mythic Framework
The open-source Mythic framework was initially envisioned and created in 2018 by developer Cody Thomas. The framework, once known as Apfell, has since evolved into a cross-platform solution catering to the needs of threat actors seeking a more unified and modular approach to post-exploitation.
The Loki backdoor was observed in a series of targeted attacks, primarily targeting Russian companies from various industries, including engineering and healthcare. Researchers from Kaspersky suggest that Loki is distributed through email, with unsuspecting users launching the malware themselves. The attackers may target each victim using tailored approaches through the use of publicly available utilities for traffic tunneling, such as gTunnel and ngrok, and the goReflect tool for modifying them.
The Loki agent is also compatible with another malware framework referred to as the Havoc framework, inheriting various techniques from it that further complicate analysis attempts by researchers. These include encrypting its memory image, indirectly calling system API functions, and searching for API functions by hashes. Researchers noted the Loki agent uses a slightly modified version of the djb2 hashing algorithm, replacing the original magic number with a different value.
Loki Agent Loader Functions
The Loki loader generates a packet containing information about the infected system, which is then encrypted and sent to the command-and-control (C2) server. The server’s response includes a DLL that the loader places in the infected device’s memory, where further command processing and communication with the C2 server occur.
The researchers observed two versions of the loader, one from May and another from July, each exhibiting slight differences in their implementation, such as the use of the protobuf protocol for data serialization in the earlier May variant and the partial mimicry of the Ceos agent’s behavior in the newer July variant.
The Loki loader, which is responsible for downloading the main module, uses various encryption algorithms, including AES and base64, to conceal its communication with the command-and-control (C2) server.
Due to the tailored approach as well as insufficient data and lack of unique tools, the researchers state that they are unable to attribute the Loki agent to any existing group. The campaign reflects the growing popularity of open-source post-exploitation frameworks among cybercriminal groups despite their legitimate use for testing infrastructure security among red teams.
This usage also makes it difficult for security teams to attribute a particular group or detect infections as cybercriminals adapt and modify these tools for their own purposes and to maintain hold over targeted devices.
