Threat Research

Keep your finger on Pulse. Mythic Likho cyberattacks against Russia’s critical information infrastructure

PTsecurity-ESC
Keep your finger on Pulse. Mythic Likho cyberattacks against Russia’s critical information infrastructure

The loader component of ReflectPulse extracts configuration from Dropper 2, optionally encrypts and stores the agent module in memory, and uses configured polling intervals to initiate C2 communication over HTTP GET or POST. ReflectPulse supports a stealth mode that encrypts configuration and XOR-repacks each parameter to hinder process memory dump analysis, and the loader can wait for an encrypted agent module from the C2 before authorizing decryption and execution #ReflectPulse #Dropper2

Keypoints

  • The loader extracts parameters from the configuration provided by Dropper 2.
  • If the agent module is delivered in plaintext, the loader encrypts it and retains it only in encrypted form in memory until execution.
  • If no agent module is included, the loader sends system information and waits for the encrypted agent module in the C2 server’s response.
  • The loader initiates C2 communication using polling intervals specified in the configuration.
  • ReflectPulse supports both GET and POST methods, with two separate endpoints and a specified HTTP request parameter for carrying data.
  • Two operating modes exist: standard (plaintext config storage/transmission) and stealth (encrypted config with per-parameter XOR repacking to impede memory-dump analysis).

MITRE Techniques

  • [T1071.001 ] Web Protocols – Used for command-and-control communication over HTTP(S) with selectable GET/POST methods (‘ReflectPulse then initiates C2 communication using polling intervals extracted from the configuration.’).
  • [T1105 ] Ingress Tool Transfer – The loader can receive an encrypted agent module from the C2 server response and wait for it before execution (‘the loader sends the collected system information and waits for the encrypted agent module in the C2 server’s response.’).
  • [T1027 ] Obfuscated Files or Information – Configuration parameters and agent modules are encrypted and parameters are XOR-repacked with unique keys to hinder memory-dump analysis (‘ReflectPulse first decrypts them, then repacks each parameter by XOR-encrypting it with a unique key, hindering process memory dump analysis.’).

Indicators of Compromise

  • [Malware/Tool names ] Named components observed in behavior reporting – ReflectPulse, Dropper 2.
  • [Network endpoints / HTTP parameters ] C2 endpoints and an HTTP request parameter are referenced as transport mechanisms, but no specific domains, IPs, or parameter names were provided in the article – examples: none given.

Read more: https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/mythic-likho-cyberattacks-on-russian-critical-information-infrastructure

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint