Awaken Likho APT group targets Russian government with a new implant
October 09, 2024
A threat actor tracked as Awaken Likho is targeting Russian government agencies and industrial entities, reported cybersecurity firm Kaspersky.
A recent investigation by Kaspersky researchers into the APT group Awaken Likho (aka Core Werewolf and PseudoGamaredon) uncovered a new campaign from June to August 2024, showing a shift from UltraVNC to the MeshCentral platform for remote access. The threat actor continues to target Russian government entities and enterprises.
The experts detected a new implant used by the group, the malware was delivered via phishing to gain remote control over systems, shifting from UltraVNC to MeshAgent. The implant was distributed through malicious URLs in phishing emails, while the attackers used methods like self-extracting archives and Golang droppers in previous campaigns. This campaign highlights the group’s continued efforts to refine their remote access strategies.
Awaken Likho observed using the new implant in September 2024, but the analysis of the telemetry revealed that the attackers began using the malware in August 2024.
The Awaken Likho group is now using a 7-Zip self-extracting archive that displays a decoy document while covertly installing the MeshAgent tool. The attack chain involves an SFX archive that unpacks an AutoIt script and executes “MicrosoftStores.exe,” which then launches the tool MeshAgent. The malicious code maintains persistence by setting up a scheduled task to run MeshAgent, enabling a continuous connection to their MeshCentral server.
“This script launches NetworkDrivers.exe (the MeshAgent agent) using PowerShell to interact with the C2 server.” reads the report. “These actions allow the APT to persist in the system: the attackers create a scheduled task that runs a command file, which, in turn, launches MeshAgent to establish a connection with the MeshCentral server.”
The group Awaken Likho has been active since the onset of the Russo-Ukrainian conflict, the APT has adapted its methods, notably switching from UltraVNC to MeshCentral for remote access. Experts believe the group remains active and is enhancing its operations with new implants. The latest version of their malware has evolved, lacking previous payload-free files and signaling ongoing development. Awaken Likho is expected to continue targeting and infiltrating selected infrastructure in future attacks.
Kaspersky shared Indicators of compromise (IoCs) for the recent attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, APT)