Likho Hackers Using MeshCentral For Remotely Managing Victim Systems


The Awaken Likho APT group launched a new campaign in June of 2024 with the intention of targeting Russian government agencies and businesses by targeting them.

The group has abandoned its previous use of the UltraVNC module for remote access and adopted the MeshCentral agent instead, which highlights its adaptability and continuous efforts to evade detection and maintain its operations.

The newly identified implant, detected in September 2024, exhibits a significant departure from the group’s previous tactics.

– Advertisement –
EHA

While the implant was likely delivered via phishing emails, it deviates from the typical use of Golang droppers and self-extracting archives.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

It utilizes MeshAgent, an open-source remote device management solution, to establish and maintain control over infected systems, marking a shift from the previously used UltraVNC module, which was first observed in August 2024.

Implant archive contents

The analysis revealed that the implant is distributed in a self-extracting archive packed with UPX and created using 7-Zip.

The archive contains several files, including a CMD file with a randomly generated name and a compiled AutoIt script. 

Where the CMD file is used to launch NetworkDrivers.exe and nKka9a82kjn8KJHA9.cmd, ensuring persistence in the system.

After being deobfuscated, the AutoIt script was found to be responsible for launching these executables with specific parameters.

Extracted AutoIt script

The attackers initially launched a legitimate remote administration tool, NetworkDrivers.exe, to establish a foothold in the victim’s system.

Subsequently, they executed a heavily obfuscated batch file, nKka9a82kjn8KJHA9.cmd, which created a scheduled task named MicrosoftEdgeUpdateTaskMachineMS. 

It was designed to run a malicious script, EdgeBrowser.cmd, and then delete incriminating files like MicrosoftStores.exe, thereby hindering detection and analysis of the attack.

Part of the obfuscated contents of nKka9a82kjn8KJHA9.cmd

They also leveraged a legitimate MeshCentral platform to establish a persistent presence on the compromised system by creating a scheduled task that executed a malicious command file, which in turn launched the MeshAgent agent. 

This agent, configured with specific parameters to connect to the C2 server, facilitated communication and control over the infected system.

The attackers’ use of MeshCentral allowed them to interact with the compromised device remotely and potentially execute further malicious actions.

MeshCentral platform login interface

According to Secure List, the APT group Awaken Likho, known for its increased activity since the Russo-Ukrainian conflict, has recently executed a cyberattack targeting Russian government agencies, contractors, and industrial enterprises. 

The analyzed implant, a newer version of their malware, indicates their ongoing development and potential for future attacks and underscores the need for robust cybersecurity solutions to safeguard corporate resources against evolving threats.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar



Source link