Kaspersky researchers have uncovered a sophisticated version of the Loki backdoor malware that has been used to infiltrate at least 12 Russian companies in a series of cyberattacks. This newly identified agent, dubbed Backdoor.Win64.MLoki, is a modified version of the open-source post-exploitation framework Mythic. The attacks have spanned across various sectors, including engineering and healthcare.
Loki’s Method of Attack: Phishing and Exploitation
The Loki malware reaches its victims through phishing emails containing malicious attachments. Unsuspecting users launch these attachments, which activate the backdoor on the target system. Once installed, Loki provides attackers with a wide array of capabilities, such as managing Windows access tokens, injecting code into running processes, and transferring files between the infected device and a command and control (C2) server.
A Growing Threat
According to Artem Ushkov, a research developer at Kaspersky, the use of open-source post-exploitation frameworks is becoming increasingly popular. While these tools are originally designed to enhance security infrastructure, cybercriminals are modifying them for malicious purposes. Ushkov commented, “Loki is the latest example of attackers adopting and modifying frameworks like Mythic to spread malware, hinder detection, and avoid attribution.”
The Loki malware in particular demonstrates how threat actors can exploit open-source technology to create undetectable and highly adaptable cyberweapons. Kaspersky’s analysis revealed that attackers have modified Loki to evade common detection methods and maximize its stealth capabilities.
Bypassing Network Defenses
Although the Dangerous Loki Backdoor itself lacks built-in traffic tunneling features, attackers compensate by utilizing publicly available utilities such as ngrok and gTunnel to infiltrate private network segments. In some cases, gTunnel was further modified using goreflect, allowing it to execute malicious code directly in the system’s memory. This technique enables attackers to remain hidden and evade traditional detection systems.
Tailored Attacks and Limited Attribution
As of now, there is no clear attribution linking Loki to any specific group of cybercriminals or state-sponsored actors. However, Kaspersky’s experts suggest that the attackers are highly strategic, targeting specific companies with tailored phishing emails rather than relying on mass-distributed templates. This approach indicates a high level of precision and careful planning, as each target is individually studied and attacked.
A Call for Vigilance
The discovery of the Dangerous Loki Backdoor highlights the growing danger of modified open-source tools in cyberattacks. As attackers become more sophisticated in leveraging these frameworks for malicious purposes, companies must remain vigilant. Kaspersky advises businesses to implement advanced threat detection systems and reinforce employee awareness around phishing schemes to protect against evolving threats like Loki.
Also read – Five Tattva Cyberhub Security LLP Bags Two Prestigious Awards for Exceptional Contributions to Cybersecurity
Join our WhatsApp News Channel for quick updates – FYI9 News WhatsApp Channel
