Analysis Summary

Russian government bodies and economic companies are the focus of an ongoing activity cluster named Awaken Likho. The attackers had previously exploited the UltraVNC module to obtain remote access to systems, but now they would rather use the agent for the genuine MeshCentral platform.

The researchers said the campaign primarily targeted Russian government organizations, their contractors, and industrial enterprises. Awaken Likho, who is also known by the aliases Core Werewolf and PseudoGamaredon, was initially identified in June 2023 as part of cyberattacks on the defense and critical infrastructure industries. It is thought that the gang has been operating since August 2021 at the latest.

In spear-phishing attacks, malicious executables masquerading as Microsoft Word or PDF documents are distributed by giving them multiple extensions, such as "doc.exe," ".docx.exe," or ".pdf.exe," so that users only see the .docx and .pdf portions of the extension. However, it has been discovered that opening these files causes UltraVNC to install, giving the threat actors total control over the compromised computers.

Earlier this May, Core Werewolf also targeted a Russian military installation in Armenia and a Russian research institute that works on developing weapons in other attacks. A noteworthy variation seen in these cases is the use of a self-extracting archive (SFX) to enable the installation of UltraVNC surreptitiously while presenting the targets with a harmless bait document.

The most recent attack chain that researchers have uncovered likewise depends on an SFX archive file that was made with 7-Zip. When this file is opened, it launches a file called "MicrosoftStores.exe," which in turn unpacks an AutoIt script to launch the open-source MeshAgent remote management tool. The attackers construct a scheduled job that executes a command file, which in turn starts MeshAgent to connect to the MeshCentral server, enabling the APT to remain in the system.

Impact

• Unauthorized Access
• Command Execution
• Exposure of Sensitive Data

Indicators of Compromise

Domain Name

• kwazindernuren.com

IP

• 38.180.101.12

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.