Loki: a new private agent for the popular Mythic framework

In July 2024, we discovered the previously unknown Loki backdoor, which was used in a series of targeted attacks. By analyzing the malicious file and open sources, we determined that Loki is a private version of an agent for the open-source Mythic framework.

One of the agent’s decrypted strings

Our solutions detect this threat as Backdoor.Win64.MLoki to differentiate it from other malware families with the same name, such as Loki Bot, Loki Locker, and others.

Mythic Framework

In 2018, developer Cody Thomas created his own open-source framework called Apfell for post-exploitation of compromised macOS systems. Two years later, several developers joined the project, the framework became cross-platform, and was renamed Mythic. The main problems with existing frameworks at the time were the inconvenience of creating different agents (clients), the lack of a unified interface for managing them, and no support for modularity. The advantage of Mythic is that it allows the use of agents in any language, for any platform, with the required functionality. At the time of writing, around two dozen agents have been published in the official Mythic repository.

Technical details

The Loki agent we discovered is a Mythic-compatible version of the agent for another framework, Havoc. The Loki modification inherited various techniques from Havoc to complicate analysis of the agent, such as encrypting its memory image, indirectly calling system API functions, searching for API functions by hashes, and more. However, unlike the agent for Havoc, Loki was split into a loader and a DLL, where main functionality of the malware is implemented.

Both versions of the agent use the djb2 hashing algorithm to obscure API functions and commands. However, in the Mythic version, this was slightly modified. The Havoc agent used Daniel Bernstein’s original magic number, 5381, but in Loki, this was replaced with 2231.

Loader functionality

Upon execution, the Loki loader generates a packet containing information about the infected system, such as the OS version, internal IP address, username, processor architecture, the path to the current process and its ID, and sends it encrypted to the command-and-control (С2) server at https://y[.]nsitelecom[.]ru/certcenter. In response, the server sends a DLL, which the loader places in the infected device’s memory – command processing and further communication with the C2 server occur within this library. We will now look at two versions of the loader, whose activity was observed in May and July.

May loader version

July loader version

The loader version observed in May differs slightly from the July sample. For example, the earlier version uses the protobuf protocol for data serialization, while the new one partially mimics the behavior of the Ceos agent.

Both versions use the same algorithms for data encryption: first, the collected information is encrypted with the AES algorithm, then encoded with base64. However, the old version sends a 36-character UUID in plaintext along with the encrypted data, while the new one encodes it using base64.

An example of the data sent before encryption by the July version of Loki, with the UUID visible on the right

Each instance of the malware has a unique UUID. The May sample used the identifier 86cd8a56-1657-42ce-a0e8-587bf8144c05, while the July version used 472719a8-e1ce-4a5c-9ab2-bb4d1139ae33.

Traffic from the July version after AES and base64 encryption

Traffic from the May version after encryption with plaintext UUID

As a result of the first request to the C2 server, the server returns a payload in the form of a DLL with two exported functions: the standard entry point DllMain and the Start function, which the loader calls to transfer further control to the library.

Main module functionality

At the time of discovery, it was no longer possible to download the payload from the aforementioned server. However, through detailed analysis, we found around 15 other versions of the loader and two active C2 servers, and eventually obtained a sample of the main module from the May version.

The main module, like the loader, is based on the Havoc version of the agent, but the list of supported commands is partially borrowed from other Mythic agents. This list is not stored in plain text within the DLL; instead, a series of hashes is specified in the library code. When a command is received from the server, its name is hashed and compared with the hash stored in the DLL.

Processing command hashes

Tools for tunneling traffic

The agent itself does not support traffic tunneling, so to access private network segments, attackers use third-party publicly available utilities. On several infected machines, the ngrok utility was found in the directory with the Loki loader. In other cases, instances of the gTunnel utility were discovered running in the context of the svchost.exe and runtimebroker.exe system processes. Notably, unlike ngrok, it was modified using goReflect to load and execute in memory, not from disk.

Victims and distribution

Over a dozen of Russian companies from various industries, including engineering and healthcare, have encountered this threat. However, we believe the number of potential victims may be higher. Based on telemetry and the names of files in which the malware was detected (such as “смета_27.05.2024.exe”, “На_согласование_публикации_<предприятие>.rar”, “ПЕРЕЧЕНЬ_ДОКУМЕНТОВ.ISO”, etc. – referring to an estimate, a publication approval for a specific enterprise, or a list of documents), we can assume that in several cases, Loki reaches victims’ computers via email, with an unsuspecting user launching the file themselves.

Attribution

At the time of research, there is insufficient data to attribute Loki to any known group. Instead of using standard email templates to spread the agent, the attackers likely approach each target individually. We also did not find any unique tools on the infected machines that could help with attribution. Attackers seem to prioritize using only publicly available utilities for traffic tunneling, such as gTunnel and ngrok, and the goReflect tool for modifying them.

Conclusion

The popularity of open-source post-exploitation frameworks is growing. Although they are primarily useful for enhancing infrastructure security, attackers are increasingly testing and applying various frameworks to control their victims’ devices remotely and modifying them for their own purposes, such as to make detection and attribution more difficult.

Indicators of compromise

July loader version
46505707991e856049215a09bf403701

May loader version
f0b6e7c0f0829134fe73875fadf3942f
796bdba64736a0bd6d2aafe773acba52
5ec03e03b908bf76c0bae7ec96a2ba83
0632799171501fbeeba57f079ea22735
97357d0f1bf2e4f7777528d78ffeb46e
f2132a3e82c2069eb5d949e2f1f50c94
7f85e956fc69e6f76f72eeaf98aca731
375cfe475725caa89edf6d40acd7be70
dff5fa75d190dde0f1bd22651f8d884d
05119e5ffceb21e3b447df49b52ab608
724c8e3fc74dde15ccd6441db460c4e4
834f7e48aa21c18c0f6e5285af55b607
e8b110b51f45f2d64af6619379aeef62

Main module
eb7886ddc6d28d174636622648d8e9e0

gTunnel
1178e7ff9d4adfe48064c507a299a628
dd8445e9b7daced487243ecba2a5d7a8

ngrok
4afad607f9422da6871d7d931fe63402

C2 addresses:
http://y[.]nsitelecom[.]ru/certcenter
http://document[.]info-cloud[.]ru/data
http://ui[.]telecomz[.]ru/data