In July 2024, a new backdoor, Loki, was identified, targeting specific systems as analysis revealed it as a customized version of the Mythic framework’s agent. To distinguish it from other malware with similar names, it is categorized as Backdoor.Win64.MLoki.
Mythic is a cross-platform, open-source framework for post-exploitation that offers a unified interface for managing various agents written in different languages and for different platforms, providing modularity and flexibility for tailored post-exploitation operations.
The Loki agent, a modified version of the Havoc agent, uses various obfuscation techniques, including encryption, indirect API calls, and hash-based function search.
Unlike Havoc, Loki is split into a loader and a DLL. Both agents use the djb2 hashing algorithm with a modified magic number (2231) to obscure API functions and commands.
The Loki loader, a piece of malicious software, sends information about infected systems to a command-and-control server, receives a DLL in response, and loads it into memory.
It handles subsequent communication with the server and executes commands. Two versions of the loader were analyzed, differing slightly in their hashes and compilation times but sharing the same core functionality.
The loader versions from May and July differ in their data serialization methods and UUID encoding, while the earlier version uses protobuf and plaintext UUIDs, and the newer one partially emulates Ceos agent behavior and encodes UUIDs with base64. Both versions employ AES encryption and base64 encoding for data security.
According to Secure List, the malware samples use unique UUIDs for identification, as the July version uses a different UUID than the May version.
After initial contact, the C2 server sends a payload containing a DLL with two functions: a standard entry point and a Start function for further control. The main module, stagger_1.1.dll, is a Havoc-based agent that processes commands through hashed names.
It supports various operations like changing directories, terminating processes, creating processes, launching Beacon Object Files, displaying environment variables, showing the current directory, modifying the interval between C2 requests, managing Windows access tokens, downloading files to the server, injecting code into running processes, and exiting the agent.
The attackers used ngrok and gTunnel to tunnel traffic to access private networks, where gTunnel was modified to load and execute in memory, avoiding detection. Over a dozen Russian companies were affected, with victims likely opening malicious email attachments.
They successfully used publicly available utilities, such as gTunnel, ngrok, and goReflect, to establish remote control over victims’ devices, which, combined with individualized targeting, made attribution challenging, highlighting the growing trend of using open-source tools for malicious purposes.