Threat Research

“Loki: A New Private Agent for the Mythic Framework”

SecureList

July 2024 saw the discovery of Loki, a private backdoor derived from the Mythic open-source framework, used in targeted attacks against Russian companies. Loki is split into a loader and DLL, encrypts and obfuscates data using AES and hashing, and relies on public tools to tunnel traffic to its C2 servers. #Loki #MythicFramework #Havoc #ngrok #gTunnel #goReflect #RussianCompanies

Keypoints

  • Loki backdoor discovered in July 2024, linked to targeted attacks against Russian companies.
  • Identified as a private Mythic-compatible agent derived from the Havoc framework.
  • Mythic framework enables cross-platform agent development and modularity across languages and platforms.
  • Loki uses Havoc-derived obfuscation techniques, including memory image encryption and hashed API function lookups.
  • Loader functionality collects system information and sends it to a C2 server to receive a DLL for execution.
  • Two loader versions (May and July 2024) share AES encryption and base64 encoding; May uses protobuf, July mimics Ceos behavior, and UUID handling differs.
  • Victims include over a dozen Russian companies across multiple industries; attackers rely on publicly available tunneling tools (e.g., ngrok, gTunnel) for private-network access.
  • Attribution remains unclear; threat actors appear to target individually using public tunneling utilities rather than common templates.

MITRE Techniques

  • [T1219] Remote Access Tools – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’) – “Utilizes the Loki backdoor to establish remote access to compromised systems.”
  • [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’) – “Communicates with a command-and-control server to receive commands and exfiltrate data.”
  • [T1022] Data Encrypted – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’) – “Encrypts data using AES before transmission to the C2 server.”
  • [T1027] Obfuscated Files or Information – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’) – “Employs various obfuscation techniques, including hashing and encryption, to hide its presence.”

Indicators of Compromise

  • [Hash] context – loader May and July samples: 375CFE475725CAA89EDF6D40ACD7BE70, 46505707991E856049215A09BF403701
  • [Hash] context – other samples: 8326B2B0569305254A8CE9F186863E09605667E7, 21CDDE4F6916F7E4765A377F6F40A82904A05431
  • [Hash] context – main module: EB7886DDC6D28D174636622648D8E9E0, 98CFFA5906ADB7BBBB9A6AA7C0BF18587697CF10, AA544118DEB7CB64DED9FDD9455A277D0608C6985E45152A3CBB7422BD9DC916
  • [File name] context – May loader: смета_27.05.2024.exe
  • [File name] context – July loader: winit.exe
  • [File name] context – main module: stagger_1.1.dll
  • [URL] context – C2 addresses: http://y[.]nsitelecom[.]ru/certcenter, http://document[.]info-cloud[.]ru/data, http://ui[.]telecomz[.]ru/data

Read more: https://securelist.com/loki-agent-for-mythic/113596/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint