Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Loki: a new private agent for the popular Mythic framework

Sept. 9, 2024, 9:52 a.m.

Description

Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API calls, and API function hashing to impede analysis. It comprises a loader and a DLL, with the latter implementing core functionalities. The loader gathers system information and communicates with the command-and-control server to obtain the payload DLL. Loki inherits commands from various Mythic agents and supports capabilities like file transfers, code injection, and token management. Attackers likely distribute the malware via email, targeting Russian companies across multiple industries.

Date

Published: Sept. 9, 2024, 9:22 a.m.

Created: Sept. 9, 2024, 9:22 a.m.

Modified: Sept. 9, 2024, 9:52 a.m.

Indicators

ff605df63ffe6d7123ad67e96f3bc698e50ac5b982750f77bbc75da8007625bb

aa544118deb7cb64ded9fdd9455a277d0608c6985e45152a3cbb7422bd9dc916

81801823c6787b737019f3bd9bd53f15b1d09444f0fe95fad9b568f82cc7a68d

5f8e9fe5156d14ab236213ad6ffe972e484880f8fce9382d28669f254e71c4c7

http://y.nsitelecom.ru/certcenter

http://ui.telecomz.ru/data

http://document.info-cloud.ru/data

Attack Patterns

HELLOKITTY - S0617

T1589

T1559

T1106

T1105

T1570

T1543

T1027

T1558

Additional Informations

Healthcare

Manufacturing

Russian Federation