A previously unknown version of the Loki backdoor that has been used in a series of targeted attacks against at least 12 Russian companies has been identified by Kaspersky experts. The incursions occurred across various industries, including engineering and healthcare. The malware, which Kaspersky detects as Backdoor.Win64.MLoki, is a private agent version of the open-source post-exploitation framework Mythic.
Loki reaches victims' computers via phishing emails with malicious attachments that unsuspecting users launch themselves. Once installed, Loki provides the attacker with extensive capabilities on the compromised system, such as managing Windows access tokens, injecting code into running processes, and transferring files between the infected machine and the command and control server.
"The popularity of open-source post-exploitation frameworks is growing, and while they are useful for enhancing infrastructure security, we are seeing attackers increasingly adopt and modify these frameworks to spread malware," said Artem Ushkov, research developer at Kaspersky. "Loki is the latest example of attackers testing and applying various frameworks for malicious purposes and modifying them to hinder detection and attribution."
The Loki agent itself does not support traffic tunneling, so the attackers use publicly available utilities like ngrok and gTunnel to access private network segments. Kaspersky found that, in some cases, the gTunnel utility was modified using goreflect to execute its malicious code in the targeted computer’s memory, thus avoiding detection.
At this time, there is insufficient data to attribute Loki to any known group of threat actors. However, Kaspersky's analysis suggests the attackers carefully approach each target individually rather than relying on standard phishing email templates.
Read the full report on Securelist.
To maximize your organization's security, Kaspersky recommends:
- Do not expose remote desktop services, such as RDP, to public networks unless absolutely necessary, and always use strong passwords.
- Make sure your commercial VPN and other server-side software solutions are always up to date as exploitation of this type of software is a common ransomware infection vector. Always keep client-side applications up to date.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency. Use the latest Threat Intelligence information to stay up to date on the latest TTPs used by threat actors.
- Use Managed Detection and Response services to help identify and stop an attack in the early stages, before the attackers achieve their ultimate goals.
- To protect the corporate environment, educate your employees. Dedicated training courses can help, such as those provided in the Kaspersky Automated Security Awareness Platform.
- Use complex security solutions, combining endpoint protection and automated incident response features, such as Kaspersky NEXT.