Kaspersky Finds Loki's New Version Of Malware Threatening Russian Companies

Illustration of Loki's cyberattack (photo: Kaspersky)

JAKARTA - Kaspersky experts managed to find a new version of Loki's backdoor, which was previously unknown and has been used in a series of directed attacks on at least 12 companies in Russia.

According to the global cybersecurity firm, the attack targeted various industries, including health engineering and industry, using Backdoor malware.Win64.MLoki, a personal agent version of the framework following Mythic's open source exploitation.

Loki reaches the victim's computer via phishing emails with malicious attachments launched by suspicious users themselves.

Once installed, Loki gives attackers extensive capabilities to compromised systems, such as managing Windows access tokens, injecting code into running processes, and transferring files between infected machines and command and control servers.

"The popularity of the framework after the exploitation of open sources is increasing, and while it is beneficial to improve infrastructure security, we see attackers increasingly adopt and modify this framework to deploy malware," said Artem Ushkov, a research developer at Kaspersky.

According to him, Loki is the latest example of an attacker testing and implementing various frameworks for malicious purposes and modifying them to hinder detection and distribution.

Loki's own agent does not support traffic distribution, therefore attackers use publicly available utilities such as ngrok and gTunnel to access the private network segment.

Currently, there is not enough data to link Loki to the existing group of threat actors. However, Kaspersky's analysis shows that attackers approach each individual target carefully rather than relying on standard phishing email templates.