Over 100 Ukrainian state and local government computers have been compromised with MeshAgent malware in a phishing campaign leveraging trust in the Security Service of Ukraine (SBU).
The attack detected by the Computer Emergency Response Team of Ukraine (CERT-UA) on Monday, involved emails seemingly originating from the SBU. These emails contained a link to download a file named “Documents.zip.”
Clicking the link downloaded a Microsoft Software Installer (MSI) file instead. For example: “Scan_docs#40562153.msi“. Opening this MSI file unleashed the ANONVNC – also known as MeshAgent malware. This malware gave attackers potential covert, unauthorized access to infected machines, the CERT-UA said.
“As of 12:00 on August 12, 2024, CERT-UA identified more than 100 affected computers, including those operating within state bodies and local self-government bodies of Ukraine.” – CERT-UA
Malware with Familiar Traits
The ANONVNC malware, based on the source code observed by CERT-UA researchers, used a configuration file strikingly similar to the MeshAgent software tool.
MeshAgent is typically a remote management tool that works with the open-source platform MeshCentral. It is compatible with Windows, Linux, macOS, and FreeBSD. Although it is not designed to be malicious, threat actors exploit this tool to establish backdoors on endpoints, allowing remote access through programs like VNC, RDP, or SSH.
Recently, security researchers at Wazuh noted a rise in the misuse of MeshAgent by attackers to maintain persistence on compromised systems and issue remote commands.
Why Threat Actors Use MeshAgent as Malware
- Seamless Connection: Once installed, MeshCentral requires no user intervention to connect with endpoints.
- Unauthorized Access: MeshCentral can access MeshAgent directly or via RDP without the endpoint’s consent.
- System Control: It can wake, restart, or power off endpoints.
- Command and Control: MeshCentral acts as a command server, executing shell commands and transferring files on the endpoint without the user’s knowledge.
- Undetectable Operations: Actions initiated by MeshCentral run under the NT AUTHORITYSYSTEM account, blending in with routine background tasks.
- Unique File Hashes: Each MeshAgent instance is uniquely generated, making detection by file hash challenging.
Attackers often deploy MeshAgent through phishing emails. Its communication over standard ports like 80 and 443 increases the likelihood of bypassing firewalls.
On a Windows endpoint, MeshAgent typically:
- Launches the MeshCentral background service.
- Connects to the MeshCentral server.
- Establishes a communication channel via pipes.
- Installs using the
-fullinstallcommand flag. - Places its executable at
C:Program FilesMesh AgentMeshAgent.exe. - Creates a registry key at
HKLMSystemCurrentControlSetServicesMesh Agentfor configuration storage. - Adds another registry key at
HKLMSystemCurrentControlSetControlSafeBootNetworkMeshAgent, enabling network access during Safe Mode. - Modifies Windows services to achieve persistence, including creating a registry key to allow WebRTC traffic through the firewall.
- Executes most actions using the highly privileged NT AUTHORITYSYSTEM and LocalService accounts.
When reconnecting to MeshCentral, MeshAgent:
- Reestablishes the communication channel.
- Creates a registry key at
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTreeMeshUserTaskfor scheduling tasks like wake, sleep, and command execution.
If MeshCentral reconnects without permission, it changes the connection manager service from “demand start” to “auto start.”
MeshAgent’s source code is publicly available on Github, suggesting potential code reuse for the latest campaign. Due to this code similarity, CERT-UA has temporarily named the discovered malware ANONVNC.
Wider Campaign Suspected
The latest campaign is believed to have begun in July 2024 and may extend beyond Ukraine’s borders, according to CERT-UA’s researchers. Analysis of the pCloud file storage service revealed over a thousand EXE and MSI files uploaded since August 1, with some potentially linked to this broader campaign.
Ukraine sprung a surprise attack on Russia in the Kursk region on Aug. 6 and today for the first time a top military commander publicly stated that Kyiv’s forces now controlled over 1,000 square kilometers (approximately 386 square miles) of Russian territiory.
“The troops are fulfilling their tasks. Fighting continues actually along the entire front line. The situation is under our control,” Gen. Oleksandr Syrskyi said.
The timing of the phishing campaign on Monday that deployed a backdoor malware on government computer systems follows this intense Ukrainian offensive but Kyiv did not name Russia or the Kremlin’s cyber army up front for these targeted attacks. Instead it tracked the campaign to a threat actor it tracks as UAC-0198.
Russian hackers were previously found using similar tactics where they used legitimate remote monitoring and management software to spy on Ukraine and its allies. The malicious scripts required for downloading and running the RMM program on the victims’ computers were hidden among the legitimate Python code of the “Minesweeper” game from Microsoft.
CERT-UA has promptly implemented measures to mitigate the latest cyber threat. Specific details regarding these measures were not disclosed.