In July 2024, we discovered the previously unknown Loki backdoor, which was used in a series of targeted attacks. By analyzing the malicious file and open sources, we determined that Loki is a private version of an agent for the open-source Mythic framework.
Our solutions detect this threat as Backdoor.Win64.MLoki to differentiate it from other malware families with the same name, such as Loki Bot, Loki Locker, and others.
Mythic Framework
In 2018, developer Cody Thomas created his own open-source framework called Apfell for post-exploitation of compromised macOS systems. Two years later, several developers joined the project, the framework became cross-platform, and was renamed Mythic. The main problems with existing frameworks at the time were the inconvenience of creating different agents (clients), the lack of a unified interface for managing them, and no support for modularity. The advantage of Mythic is that it allows the use of agents in any language, for any platform, with the required functionality. At the time of writing, around two dozen agents have been published in the official Mythic repository.
Technical details
The Loki agent we discovered is a Mythic-compatible version of the agent for another framework, Havoc. The Loki modification inherited various techniques from Havoc to complicate analysis of the agent, such as encrypting its memory image, indirectly calling system API functions, searching for API functions by hashes, and more. However, unlike the agent for Havoc, Loki was split into a loader and a DLL, where main functionality of the malware is implemented.
Both versions of the agent use the djb2 hashing algorithm to obscure API functions and commands. However, in the Mythic version, this was slightly modified. The Havoc agent used Daniel Bernstein’s original magic number, 5381, but in Loki, this was replaced with 2231.
unsigned long hash(unsigned char *str) { unsigned long hash = 2231; int c; while (c = *str++) hash = ((hash << 5) + hash) + c; /* hash * 33 + c */ return hash; }
Loader functionality
Upon execution, the Loki loader generates a packet containing information about the infected system, such as the OS version, internal IP address, username, processor architecture, the path to the current process and its ID, and sends it encrypted to the command-and-control (С2) server at https://y[.]nsitelecom[.]ru/certcenter. In response, the server sends a DLL, which the loader places in the infected device’s memory – command processing and further communication with the C2 server occur within this library. We will now look at two versions of the loader, whose activity was observed in May and July.
May loader version
MD5
375CFE475725CAA89EDF6D40ACD7BE70
SHA1
8326B2B0569305254A8CE9F186863E09605667E7
SHA256
81801823C6787B737019F3BD9BD53F15B1D09444F0FE95FAD9B568F82CC7A68D
Compilation time:
13:50 23.05.2024
Compiler
GNU Binutils 2.31
File type
Windows x64 executable
File size
92,328 bytes
File name
смета_27.05.2024.exe
July loader version
MD5
46505707991E856049215A09BF403701
SHA1
21CDDE4F6916F7E4765A377F6F40A82904A05431
SHA256
FF605DF63FFE6D7123AD67E96F3BC698E50AC5B982750F77BBC75DA8007625BB
Compilation time:
11:23 25.07.2024
Compiler
GNU Binutils 2.31
File type
Windows x64 executable
File size
92,672 bytes
File name
winit.exe
The loader version observed in May differs slightly from the July sample. For example, the earlier version uses the protobuf protocol for data serialization, while the new one partially mimics the behavior of the Ceos agent.
Both versions use the same algorithms for data encryption: first, the collected information is encrypted with the AES algorithm, then encoded with base64. However, the old version sends a 36-character UUID in plaintext along with the encrypted data, while the new one encodes it using base64.
Each instance of the malware has a unique UUID. The May sample used the identifier
86cd8a56-1657-42ce-a0e8-587bf8144c05
, while the July version used
472719a8-e1ce-4a5c-9ab2-bb4d1139ae33
.
As a result of the first request to the C2 server, the server returns a payload in the form of a DLL with two exported functions: the standard entry point DllMain and the Start function, which the loader calls to transfer further control to the library.
Main module functionality
At the time of discovery, it was no longer possible to download the payload from the aforementioned server. However, through detailed analysis, we found around 15 other versions of the loader and two active C2 servers, and eventually obtained a sample of the main module from the May version.
MD5
EB7886DDC6D28D174636622648D8E9E0
SHA1
98CFFA5906ADB7BBBB9A6AA7C0BF18587697CF10
SHA256
AA544118DEB7CB64DED9FDD9455A277D0608C6985E45152A3CBB7422BD9DC916
Compilation time:
12:00 03.05.2024
Compiler
GNU Binutils 2.31
File type
Windows x64 executable
File size
167424 bytes
File name
stagger_1.1.dll
The main module, like the loader, is based on the Havoc version of the agent, but the list of supported commands is partially borrowed from other Mythic agents. This list is not stored in plain text within the DLL; instead, a series of hashes is specified in the library code. When a command is received from the server, its name is hashed and compared with the hash stored in the DLL.
Hash
Command name
Description
0x00251B5E
cd
Change the current directory
0x36D4696F
kill-process
Terminate a specified process
0x03A9CB57
create-process
Create a process
0x04C8848E
bof
Launch a Beacon Object File
0x04C89140
env
Display a list of environment variables and their values
0x04C8C122
pwd
Show the current directory
0x5A2DE070
sleep
Change the interval between C2 requests
0x5A41B798
token
Manage Windows access tokens
0x7BD1668F
download
Send a file from the infected machine to the server
0x88BD45B4
inject
Inject code into an already running process
0x9DDAE271
exit
Terminate the agent process
0xA4E0A13C
upload
Send a file from the server to the infected machine
Tools for tunneling traffic
The agent itself does not support traffic tunneling, so to access private network segments, attackers use third-party publicly available utilities. On several infected machines, the ngrok utility was found in the directory with the Loki loader. In other cases, instances of the gTunnel utility were discovered running in the context of the svchost.exe and runtimebroker.exe system processes. Notably, unlike ngrok, it was modified using goReflect to load and execute in memory, not from disk.
Victims and distribution
Over a dozen of Russian companies from various industries, including engineering and healthcare, have encountered this threat. However, we believe the number of potential victims may be higher. Based on telemetry and the names of files in which the malware was detected (such as “смета_27.05.2024.exe”, “На_согласование_публикации_.rar”, “ПЕРЕЧЕНЬ_ДОКУМЕНТОВ.ISO”, etc. – referring to an estimate, a publication approval for a specific enterprise, or a list of documents), we can assume that in several cases, Loki reaches victims’ computers via email, with an unsuspecting user launching the file themselves.
Attribution
At the time of research, there is insufficient data to attribute Loki to any known group. Instead of using standard email templates to spread the agent, the attackers likely approach each target individually. We also did not find any unique tools on the infected machines that could help with attribution. Attackers seem to prioritize using only publicly available utilities for traffic tunneling, such as gTunnel and ngrok, and the goReflect tool for modifying them.
Conclusion
The popularity of open-source post-exploitation frameworks is growing. Although they are primarily useful for enhancing infrastructure security, attackers are increasingly testing and applying various frameworks to control their victims’ devices remotely and modifying them for their own purposes, such as to make detection and attribution more difficult.
Indicators of compromise
July loader version
46505707991e856049215a09bf403701
May loader version
f0b6e7c0f0829134fe73875fadf3942f
796bdba64736a0bd6d2aafe773acba52
5ec03e03b908bf76c0bae7ec96a2ba83
0632799171501fbeeba57f079ea22735
97357d0f1bf2e4f7777528d78ffeb46e
f2132a3e82c2069eb5d949e2f1f50c94
7f85e956fc69e6f76f72eeaf98aca731
375cfe475725caa89edf6d40acd7be70
dff5fa75d190dde0f1bd22651f8d884d
05119e5ffceb21e3b447df49b52ab608
724c8e3fc74dde15ccd6441db460c4e4
834f7e48aa21c18c0f6e5285af55b607
e8b110b51f45f2d64af6619379aeef62
Main module
eb7886ddc6d28d174636622648d8e9e0
gTunnel
1178e7ff9d4adfe48064c507a299a628
dd8445e9b7daced487243ecba2a5d7a8
ngrok
4afad607f9422da6871d7d931fe63402
C2 addresses:
http://y[.]nsitelecom[.]ru/certcenter
http://document[.]info-cloud[.]ru/data
http://ui[.]telecomz[.]ru/data
Source:: Securelist