In July 2024, a previously undiscovered backdoor named Loki was found by researchers, who determined that it was a private version of an agent for the open-source red teaming Mythic framework. The Mythic framework, originally developed by Cody Thomas in 2018 as Apfell, has grown into a versatile solution for threat actors looking for a more cohesive and modular approach to post-exploitation tactics.

The Loki backdoor was detected in targeted attacks primarily aimed at Russian companies across various industries, including engineering and healthcare. According to findings from Kaspersky researchers, Loki is distributed through email, with victims unknowingly activating the malware themselves. Attackers personalize their tactics for each target, utilizing publicly available tools like gTunnel, ngrok for traffic tunneling, and the goReflect tool for manipulation.

It was also noted that the Loki agent is compatible with another malware framework known as the Havoc framework, inheriting techniques that complicate analysis efforts for researchers. These techniques include encrypting memory images, indirect system API calls, and API function searches via hashes. The Loki agent utilizes a slightly modified version of the djb2 hashing algorithm, altering the magic number to enhance obfuscation.

The Loki loader, responsible for transmitting system information to the command-and-control (C2) server, encrypts the data before sending it out. Once a response is received from the server, a DLL is deployed in the infected device’s memory for further communication and command execution. Researchers identified two versions of the loader, from May and July, showing variations in implementation such as data serialization techniques and behavioral mimicry from other agents.

Encryption plays a crucial role in Loki’s operations, with the loader using algorithms like AES and base64 to conceal communication with the C2 server. Despite efforts to analyze and attribute the Loki agent to a specific group, researchers faced challenges due to the tailored nature of the attacks and lack of distinct tools for identification. The prevalence of open-source post-exploitation frameworks among cybercriminal groups underscores the need for red team testing while also complicating security teams’ efforts to trace and combat infections.

The utilization of such frameworks by cybercriminals poses a significant challenge to security efforts, as these tools are adaptable and easily modified for malicious purposes. As a result, maintaining control over targeted devices and identifying the perpetrators behind such attacks becomes increasingly complex for security professionals.

In conclusion, the discovery of the Loki backdoor within the context of the Mythic framework sheds light on the evolving tactics employed by threat actors and the challenges faced by cybersecurity experts in combating such sophisticated attacks. The intersection of open-source tools and cybercrime highlights the need for continuous vigilance and innovation in the field of cybersecurity to stay ahead of malicious actors.

Lidhja e burimit