Loki: a new private agent for the popular Mythic framework
2024-9-9 15:15:14 Author: securelist.com(查看原文) 阅读量:14 收藏

In July 2024, we discovered the previously unknown Loki backdoor, which was used in a series of targeted attacks. By analyzing the malicious file and open sources, we determined that Loki is a private version of an agent for the open-source Mythic framework.

One of the agent's decrypted strings

One of the agent’s decrypted strings

Our solutions detect this threat as Backdoor.Win64.MLoki to differentiate it from other malware families with the same name, such as Loki Bot, Loki Locker, and others.

Mythic Framework

In 2018, developer Cody Thomas created his own open-source framework called Apfell for post-exploitation of compromised macOS systems. Two years later, several developers joined the project, the framework became cross-platform, and was renamed Mythic. The main problems with existing frameworks at the time were the inconvenience of creating different agents (clients), the lack of a unified interface for managing them, and no support for modularity. The advantage of Mythic is that it allows the use of agents in any language, for any platform, with the required functionality. At the time of writing, around two dozen agents have been published in the official Mythic repository.

Technical details

The Loki agent we discovered is a Mythic-compatible version of the agent for another framework, Havoc. The Loki modification inherited various techniques from Havoc to complicate analysis of the agent, such as encrypting its memory image, indirectly calling system API functions, searching for API functions by hashes, and more. However, unlike the agent for Havoc, Loki was split into a loader and a DLL, where main functionality of the malware is implemented.

Both versions of the agent use the djb2 hashing algorithm to obscure API functions and commands. However, in the Mythic version, this was slightly modified. The Havoc agent used Daniel Bernstein’s original magic number, 5381, but in Loki, this was replaced with 2231.

unsigned long

hash(unsigned char *str)

{

    unsigned long hash = 2231;

    int c;

    while (c = *str++)

        hash = ((hash << 5) + hash) + c; /* hash * 33 + c */

    return hash;

}

Loader functionality

Upon execution, the Loki loader generates a packet containing information about the infected system, such as the OS version, internal IP address, username, processor architecture, the path to the current process and its ID, and sends it encrypted to the command-and-control (С2) server at https://y[.]nsitelecom[.]ru/certcenter. In response, the server sends a DLL, which the loader places in the infected device’s memory – command processing and further communication with the C2 server occur within this library. We will now look at two versions of the loader, whose activity was observed in May and July.

May loader version

MD5 375CFE475725CAA89EDF6D40ACD7BE70
SHA1 8326B2B0569305254A8CE9F186863E09605667E7
SHA256 81801823C6787B737019F3BD9BD53F15B1D09444F0FE95FAD9B568F82CC7A68D
Compilation time: 13:50 23.05.2024
Compiler GNU Binutils 2.31
File type Windows x64 executable
File size 92,328 bytes
File name смета_27.05.2024.exe

July loader version

MD5 46505707991E856049215A09BF403701
SHA1 21CDDE4F6916F7E4765A377F6F40A82904A05431
SHA256 FF605DF63FFE6D7123AD67E96F3BC698E50AC5B982750F77BBC75DA8007625BB
Compilation time: 11:23 25.07.2024
Compiler GNU Binutils 2.31
File type Windows x64 executable
File size 92,672 bytes
File name winit.exe

The loader version observed in May differs slightly from the July sample. For example, the earlier version uses the protobuf protocol for data serialization, while the new one partially mimics the behavior of the Ceos agent.

Both versions use the same algorithms for data encryption: first, the collected information is encrypted with the AES algorithm, then encoded with base64. However, the old version sends a 36-character UUID in plaintext along with the encrypted data, while the new one encodes it using base64.

An example of the data sent before encryption by the July version of Loki, with the UUID visible on the right

An example of the data sent before encryption by the July version of Loki, with the UUID visible on the right

Each instance of the malware has a unique UUID. The May sample used the identifier 86cd8a56-1657-42ce-a0e8-587bf8144c05, while the July version used 472719a8-e1ce-4a5c-9ab2-bb4d1139ae33.

Traffic from the July version after AES and base64 encryption

Traffic from the July version after AES and base64 encryption

Traffic from the May version after encryption with plaintext UUID

Traffic from the May version after encryption with plaintext UUID

As a result of the first request to the C2 server, the server returns a payload in the form of a DLL with two exported functions: the standard entry point DllMain and the Start function, which the loader calls to transfer further control to the library.

Main module functionality

At the time of discovery, it was no longer possible to download the payload from the aforementioned server. However, through detailed analysis, we found around 15 other versions of the loader and two active C2 servers, and eventually obtained a sample of the main module from the May version.

MD5 EB7886DDC6D28D174636622648D8E9E0
SHA1 98CFFA5906ADB7BBBB9A6AA7C0BF18587697CF10
SHA256 AA544118DEB7CB64DED9FDD9455A277D0608C6985E45152A3CBB7422BD9DC916
Compilation time: 12:00 03.05.2024
Compiler GNU Binutils 2.31
File type Windows x64 executable
File size 167424 bytes
File name stagger_1.1.dll

The main module, like the loader, is based on the Havoc version of the agent, but the list of supported commands is partially borrowed from other Mythic agents. This list is not stored in plain text within the DLL; instead, a series of hashes is specified in the library code. When a command is received from the server, its name is hashed and compared with the hash stored in the DLL.

Processing command hashes

Processing command hashes

Hash Command name Description
0x00251B5E cd Change the current directory
0x36D4696F kill-process Terminate a specified process
0x03A9CB57 create-process Create a process
0x04C8848E bof Launch a Beacon Object File
0x04C89140 env Display a list of environment variables and their values
0x04C8C122 pwd Show the current directory
0x5A2DE070 sleep Change the interval between C2 requests
0x5A41B798 token Manage Windows access tokens
0x7BD1668F download Send a file from the infected machine to the server
0x88BD45B4 inject Inject code into an already running process
0x9DDAE271 exit Terminate the agent process
0xA4E0A13C upload Send a file from the server to the infected machine

Tools for tunneling traffic

The agent itself does not support traffic tunneling, so to access private network segments, attackers use third-party publicly available utilities. On several infected machines, the ngrok utility was found in the directory with the Loki loader. In other cases, instances of the gTunnel utility were discovered running in the context of the svchost.exe and runtimebroker.exe system processes. Notably, unlike ngrok, it was modified using goReflect to load and execute in memory, not from disk.

Victims and distribution

Over a dozen of Russian companies from various industries, including engineering and healthcare, have encountered this threat. However, we believe the number of potential victims may be higher. Based on telemetry and the names of files in which the malware was detected (such as “смета_27.05.2024.exe”, “На_согласование_публикации_<предприятие>.rar”, “ПЕРЕЧЕНЬ_ДОКУМЕНТОВ.ISO”, etc. – referring to an estimate, a publication approval for a specific enterprise, or a list of documents), we can assume that in several cases, Loki reaches victims’ computers via email, with an unsuspecting user launching the file themselves.

Attribution

At the time of research, there is insufficient data to attribute Loki to any known group. Instead of using standard email templates to spread the agent, the attackers likely approach each target individually. We also did not find any unique tools on the infected machines that could help with attribution. Attackers seem to prioritize using only publicly available utilities for traffic tunneling, such as gTunnel and ngrok, and the goReflect tool for modifying them.

Conclusion

The popularity of open-source post-exploitation frameworks is growing. Although they are primarily useful for enhancing infrastructure security, attackers are increasingly testing and applying various frameworks to control their victims’ devices remotely and modifying them for their own purposes, such as to make detection and attribution more difficult.

Indicators of compromise

July loader version
46505707991e856049215a09bf403701

May loader version
f0b6e7c0f0829134fe73875fadf3942f
796bdba64736a0bd6d2aafe773acba52
5ec03e03b908bf76c0bae7ec96a2ba83
0632799171501fbeeba57f079ea22735
97357d0f1bf2e4f7777528d78ffeb46e
f2132a3e82c2069eb5d949e2f1f50c94
7f85e956fc69e6f76f72eeaf98aca731
375cfe475725caa89edf6d40acd7be70
dff5fa75d190dde0f1bd22651f8d884d
05119e5ffceb21e3b447df49b52ab608
724c8e3fc74dde15ccd6441db460c4e4
834f7e48aa21c18c0f6e5285af55b607
e8b110b51f45f2d64af6619379aeef62

Main module
eb7886ddc6d28d174636622648d8e9e0

gTunnel
1178e7ff9d4adfe48064c507a299a628
dd8445e9b7daced487243ecba2a5d7a8

ngrok
4afad607f9422da6871d7d931fe63402

C2 addresses:
http://y[.]nsitelecom[.]ru/certcenter
http://document[.]info-cloud[.]ru/data
http://ui[.]telecomz[.]ru/data


文章来源: https://securelist.com/loki-agent-for-mythic/113596/
如有侵权请联系:admin#unsafe.sh