Loki: a new private agent for the popular Mythic framework

Sept. 9, 2024, 9:52 a.m.

Description

Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API calls, and API function hashing to impede analysis. It comprises a loader and a DLL, with the latter implementing core functionalities. The loader gathers system information and communicates with the command-and-control server to obtain the payload DLL. Loki inherits commands from various Mythic agents and supports capabilities like file transfers, code injection, and token management. Attackers likely distribute the malware via email, targeting Russian companies across multiple industries.

External References

https://securelist.com/loki-agent-for-mythic/113596/
https://otx.alienvault.com/pulse/66debe70d7b21b32deaa1e09
Tags
malware
backdoor
loader
2024-09-09
mythic
agent
hellokitty

Date

  • Created: Sept. 9, 2024, 9:22 a.m.
  • Published: Sept. 9, 2024, 9:22 a.m.
  • Modified: Sept. 9, 2024, 9:52 a.m.

Indicators

  • ff605df63ffe6d7123ad67e96f3bc698e50ac5b982750f77bbc75da8007625bb
  • aa544118deb7cb64ded9fdd9455a277d0608c6985e45152a3cbb7422bd9dc916
  • 81801823c6787b737019f3bd9bd53f15b1d09444f0fe95fad9b568f82cc7a68d
  • 5f8e9fe5156d14ab236213ad6ffe972e484880f8fce9382d28669f254e71c4c7
  • http://y.nsitelecom.ru/certcenter
  • http://ui.telecomz.ru/data
  • http://document.info-cloud.ru/data
Download all indicators here!

Attack Patterns

  • HELLOKITTY - S0617

Additional Informations

  • Healthcare
  • Manufacturing
  • Russian Federation