New Loki Backdoor Emerges: A Private Agent for Mythic Framework Unveiled
Kaspersky Labs uncovered a new threat—Loki, a sophisticated backdoor that has been deployed in a series of targeted attacks. This backdoor is linked to the open-source Mythic framework, a platform initially developed to exploit macOS but now extended for cross-platform use. Loki represents a modified, private version of Mythic’s agent, designed to evade detection and complicate analysis, posing a new challenge for cybersecurity defenders.
Mythic, a cross-platform post-exploitation framework, has gained popularity among security professionals due to its flexibility and modularity. It allows for the development of agents in any programming language for any platform, providing a versatile toolset for security assessments. However, Kaspersky’s discovery reveals that threat actors are also harnessing the power of Mythic for their malicious ends.
Loki inherits several techniques from another framework called Havoc, making analysis challenging. The malware employs memory encryption, indirect system API calls, and hash-based API function searching to obfuscate its behavior. Moreover, it has been split into a loader and a DLL, further complicating detection efforts.
One of the standout features of Loki is its command-processing mechanism. Rather than storing a list of commands in plain text, Loki relies on hashing functions to identify commands. When the malware receives a command from its C2 server, it is hashed and compared against the values stored within the DLL. This method not only obfuscates Loki’s behavior but also makes reverse engineering significantly more difficult.
Interestingly, Loki lacks built-in traffic tunneling capabilities, a limitation that its operators have overcome by using third-party tools. On several infected systems, utilities such as ngrok and gTunnel were found alongside Loki’s loader. In some instances, gTunnel was modified using goReflect, allowing it to execute directly in memory, further enhancing the stealth of the operation by eliminating the need for disk-based execution.
Kaspersky’s telemetry indicates that Loki has been used in targeted attacks against over a dozen Russian companies across various sectors, including engineering and healthcare. The names of files associated with the malware suggest that it is delivered via email, relying on social engineering to trick users into executing the malicious payload.
Despite extensive analysis, attributing Loki to any known threat actor remains elusive. The malware’s operators appear to be highly skilled, using personalized spear-phishing emails to lure specific targets. The tools found on infected machines were all publicly available utilities, such as ngrok and gTunnel, with no unique signatures that would link Loki to any specific hacking group. The use of publicly available tools and open-source frameworks like Mythic is a growing trend, making attribution more difficult.
