A previously unknown version of the Loki backdoor that has been used in a series of targeted attacks against at least 12 Russian companies has been identified by Kaspersky experts. The incursions occurred across various industries, including engineering and healthcare. The malware, which Kaspersky detects as Backdoor.Win64.MLoki, is a private agent version of the open-source post-exploitation framework Mythic.
Loki reaches victims’ computers via phishing emails with malicious attachments that unsuspecting users launch themselves. Once installed, Loki provides the attacker with extensive capabilities on the compromised system, such as managing Windows access tokens, injecting code into running processes, and transferring files between the infected machine and the command and control server.
“The popularity of open-source post-exploitation frameworks is growing, and while they are useful for enhancing infrastructure security, we are seeing attackers increasingly adopt and modify these frameworks to spread malware,” said Artem Ushkov, research developer at Kaspersky. “Loki is the latest example of attackers testing and applying various frameworks for malicious purposes and modifying them to hinder detection and attribution.”
The Loki agent itself does not support traffic tunneling, so the attackers use publicly available utilities like ngrok and gTunnel to access private network segments. Kaspersky found that, in some cases, the gTunnel utility was modified using goreflect to execute its malicious code in the targeted computer’s memory, thus avoiding detection.
At this time, there is insufficient data to attribute Loki to any known group of threat actors. However, Kaspersky’s analysis suggests the attackers carefully approach each target individually rather than relying on standard phishing email templates.
Read the full report on Securelist.