Cody Thomas created Apfell in 2018, an open-source macOS post-exploitation framework that later evolved into Mythic, a cross-platform framework addressing the limits of existing tools.
Loki Backdoor
Mythic offers a unified interface for managing agents across platforms, allowing flexibility and customization to create agents with specific features.
The official Mythic repository now has over two dozen agents, including the Loki agent, which uses a modified djb2 hashing algorithm to obscure API functions and commands, differing from the original Havoc agent by using a different magic number (2231).
The hash is calculated by shifting the value left by 5 bits, adding the original hash and current character, making the agent’s behavior harder to analyze and detect.
The Loki loader malware sends encrypted data about the infected system to a command-and-control server. The server responds by sending a DLL, which the loader runs in the device’s memory to handle further communication.
Both the May and July versions use similar encryption methods, but differ slightly in how they handle data and UUIDs. The May version sends a plaintext UUID, while the July version encodes it. After connecting, the loader passes control to the DLL, which carries out the malicious tasks.
The malware, stagger_1.1.dll, is a Windows x64 executable based on the Havoc agent, using hashed commands for file transfer, process management, and environment control. While it lacks native traffic tunneling, attackers use tools like ngrok or gTunnel to access private networks, loading them in memory to avoid detection.
According to Securelist, Russian companies across various industries have been targeted by a sophisticated malware campaign, likely delivered through email attachments. Attackers, using publicly available tools, have compromised over a dozen organizations.
Victims were tricked into opening malicious files, leading to the installation of Loki malware. Attribution remains difficult due to the use of common tools and evasive tactics.
Open-source post-exploitation frameworks like the July and May loaders are increasingly used to remotely control victim devices, often evading detection. Indicators of compromise include specific file hashes, network traffic, and C2 addresses. gTunnel and ngrok are key tools for tunneling and communication.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment