EXECUTIVE SUMMARY
The Loki backdoor is a newly discovered malware used in a series of targeted attacks. This backdoor is a private modification of an agent based on the open-source Mythic framework, which allows attackers to remotely control compromised systems. It identifies Loki as a derivative of the Havoc framework agent, incorporating various advanced evasion techniques. The malware has targeted several Russian companies, particularly through malicious email attachments. While Loki shares its name with other malware families, such as Loki Bot and Loki Locker, it is an entirely different threat, specifically labeled Backdoor.Win64.MLoki for clarity.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The Loki backdoor is a newly discovered malware used in a series of targeted attacks. This backdoor is a private modification of an agent based on the open-source Mythic framework, which allows attackers to remotely control compromised systems. It identifies Loki as a derivative of the Havoc framework agent, incorporating various advanced evasion techniques. The malware has targeted several Russian companies, particularly through malicious email attachments. While Loki shares its name with other malware families, such as Loki Bot and Loki Locker, it is an entirely different threat, specifically labeled Backdoor.Win64.MLoki for clarity.[emaillocker id="1283"]
Loki shares similarities with agents developed for the Havoc framework, utilizing advanced techniques such as encrypted memory images and indirect API function calls. The malware operates via a loader and a DLL, with communication between the compromised system and the command-and-control (C2) server encrypted using AES and base64 encoding. The loader gathers system information and sends it to the C2 server, which responds by delivering a DLL containing the backdoor's main functionality. Loki employs the djb2 hashing algorithm to obscure API calls, though with a modified initialization value unique to this variant. The malware also borrows features from other Mythic agents and uses publicly available tools like gTunnel and ngrok for network tunneling.
The Loki backdoor exemplifies the growing trend of threat actors adopting and modifying open-source post-exploitation frameworks like Mythic. While these frameworks are intended for legitimate security testing, they are increasingly weaponized to evade detection and complicate attribution. The use of widely available tools and custom modifications highlights the evolving tactics of attackers, making traditional defenses insufficient against such threats.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1543 | Create or Modify System Process |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| T1055 | Process Injection | |
| T1070 | Indicator Removal | |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1082 | System Information Discovery |
| Lateral Movement | T1021 | Remote Services |
| Collection | T1005 | Data from Local System |
| Command and Control | T1573 | Encrypted Channel |
| T1071 | Application Layer Protocol | |
| T1571 | Non-Standard Port | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details:
https://securelist.com/loki-agent-for-mythic/113596/