Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API calls, and API function hashing to impede analysis. It comprises a loader and a DLL, with the latter implementing core functionalities. The loader gathers system information and communicates with the command-and-control server to obtain the payload DLL. Loki inherits commands from various Mythic agents and supports capabilities like file transfers, code injection, and token management. Attackers likely distribute the malware via email, targeting Russian companies across multiple industries. Author: AlienVault
Related Tags:
agent
mythic
HELLOKITTY – S0617
T1558
T1559
Russian Federation
T1589
Healthcare
Manufacturing
Associated Indicators:
AA544118DEB7CB64DED9FDD9455A277D0608C6985E45152A3CBB7422BD9DC916
FF605DF63FFE6D7123AD67E96F3BC698E50AC5B982750F77BBC75DA8007625BB
98CFFA5906ADB7BBBB9A6AA7C0BF18587697CF10
21CDDE4F6916F7E4765A377F6F40A82904A05431
8326B2B0569305254A8CE9F186863E09605667E7
1178E7FF9D4ADFE48064C507A299A628
0632799171501FBEEBA57F079EA22735
05119E5FFCEB21E3B447DF49B52AB608
5EC03E03B908BF76C0BAE7EC96A2BA83