Loki Backdoor Targets Russian Enterprises
In July 2024, experts from Kaspersky Lab discovered a previously unknown backdoor called Loki, which was used in several targeted attacks. Analysis of the malicious file and open sources revealed that Loki is a private version of an agent for the open-source Mythic framework. More than ten Russian companies from various sectors—including engineering and healthcare—were affected by Loki attacks.
Background on the Mythic Framework
Back in 2018, developer Cody Thomas created his own open-source framework called Apfell for post-exploitation of compromised macOS systems. Two years later, several developers joined the project, making the framework cross-platform and renaming it to Mythic. Although Mythic was designed as a tool for remote management during cyberattack simulations and security assessments, it can also be used for malicious purposes.
Attackers’ Use of Open-Source Tools
Researchers note that cybercriminals are increasingly testing and using various frameworks for remote device management, often modifying them to suit their needs and to make detection and attribution more difficult. Since Mythic allows the creation of agents in any language for any platform with the required functionality, attackers took advantage of this flexibility to create a private agent version named Loki.
Loki is also compatible with Mythic and is based on another framework called Havoc, from which it inherited several techniques to complicate analysis (such as in-memory image encryption, indirect API calls, and API function lookup by hashes).
Additional Tools Used in the Attacks
Besides the open-source framework, attackers used other publicly available utilities. For example, Loki itself does not support traffic tunneling, so its operators used third-party tools to access private network segments. The ngrok utility was found in the same directory as the Loki agent loader, and in other cases, instances of the gTunnel utility were discovered running under system processes like svchost.exe and runtimebroker.exe.
Infection Methods and Impact
Researchers believe that in some cases, Loki was delivered to victims’ computers via email, with unsuspecting users launching the malware themselves. This conclusion is based on telemetry data and the names of files where the malware was found, such as “smeta_27.05.2024.exe,” “Na_soglasovanie_publikatsii_<company>.rar,” and “PERECHEN_DOKUMENTOV.ISO.”
Like other backdoors, Loki can execute various commands on an infected device. Attackers can download any file from the victim’s machine, as well as upload and run any malicious tool. Sometimes, attacks using such backdoors result not only in the theft of confidential data but also in the complete loss of all files stored on the compromised system.
Attribution and Conclusions
Experts conclude that there is currently not enough information to link Loki to any known hacker group, but it appears that the malware operators use a tailored approach for each target.