Loki is designed to inject a backdoor into Electron applications by replacing their JavaScript files with Loki's C2 server files. This allows for bypassing application control mechanisms by trusting signed vulnerable Electron applications to execute code on the target system.
Electron enables the development of cross-platform desktop applications using web technologies such as JavaScript, HTML, and CSS. Since such applications execute JavaScript code at runtime, attackers can modify these files to inject arbitrary Node.js code into the application process, allowing interaction with the operating system via the Node.js and Chromium APIs.
Features
Uses Azure Storage Blobs for C2 channel.
All C2 messages are AES encrypted with dynamically created AES keys.
SAS Token to protect C2 storage account.
Proxy-aware agent.
Uses Chromium renderer child processes for agent, shellcode execution, and assembly fork-n-run style execution, so inherits proxy-aware capabilities of Chromium.
Teamserver-less
Unlike traditional C2's where agents send messages to a Teamserver, there is no Teamserver.
The GUI client & agents both checkin to the same data-store for commands and output.
Hidden window and does not show in taskbar after execution, Loki process is ran in background.
Can stay alive for months calling back until the computer is restarted.
Robust exception handling in kernel process, if agent child process dies from an exception or bug then kernel spawns a new agent process.
OS: Windows
Download:
Electron enables the development of cross-platform desktop applications using web technologies such as JavaScript, HTML, and CSS. Since such applications execute JavaScript code at runtime, attackers can modify these files to inject arbitrary Node.js code into the application process, allowing interaction with the operating system via the Node.js and Chromium APIs.
Features
Uses Azure Storage Blobs for C2 channel.
All C2 messages are AES encrypted with dynamically created AES keys.
SAS Token to protect C2 storage account.
Proxy-aware agent.
Uses Chromium renderer child processes for agent, shellcode execution, and assembly fork-n-run style execution, so inherits proxy-aware capabilities of Chromium.
Teamserver-less
Unlike traditional C2's where agents send messages to a Teamserver, there is no Teamserver.
The GUI client & agents both checkin to the same data-store for commands and output.
Hidden window and does not show in taskbar after execution, Loki process is ran in background.
Can stay alive for months calling back until the computer is restarted.
Robust exception handling in kernel process, if agent child process dies from an exception or bug then kernel spawns a new agent process.
OS: Windows
Download:
