Russian authorities businesses and industrial entities are the goal of an ongoing exercise cluster dubbed Awaken Likho.
“The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems,” Kaspersky stated, detailing a brand new marketing campaign that started in June 2024 and continued not less than till August.
The Russian cybersecurity firm stated the marketing campaign primarily focused Russian authorities businesses, their contractors, and industrial enterprises.
Awaken Likho, additionally tracked as Core Werewolf and PseudoGamaredon, was first documented by BI.ZONE in June 2023 in reference to cyber assaults directed in opposition to protection and significant infrastructure sectors. The group is believed to be lively since not less than August 2021.
The spear-phishing assaults contain distributing malicious executables disguised as Microsoft Phrase or PDF paperwork by assigning them double extensions like “doc.exe,” “.docx.exe,” or “.pdf.exe,” in order that solely the .docx and .pdf parts of the extension present up for customers.
Opening these information, nonetheless, has been discovered to set off the set up of UltraVNC, thereby permitting the risk actors to achieve full management of the compromised hosts.
Different assaults mounted by Core Werewolf have additionally singled out a Russian navy base in Armenia in addition to a Russian analysis institute engaged in weapons improvement, per findings from F.A.C.C.T. earlier this Could.
One notable change noticed in these situations considerations using a self-extracting archive (SFX) to facilitate the covert set up of UltraVNC whereas displaying an innocuous lure doc to the targets.
The newest assault chain found by Kaspersky additionally depends on an SFX archive file created utilizing 7-Zip that, when opened, triggers the execution of a file named “MicrosoftStores.exe,” which then unpacks an AutoIt script to finally run the open-source MeshAgent distant administration software.
“These actions allow the APT to persist in the system: the attackers create a scheduled task that runs a command file, which, in turn, launches MeshAgent to establish a connection with the MeshCentral server,” Kaspersky stated.
