Russian authorities businesses and industrial entities are the goal of an ongoing exercise cluster dubbed Awaken Likho.
“The attackers now desire utilizing the agent for the respectable MeshCentral platform as an alternative of the UltraVNC module, which they’d beforehand used to achieve distant entry to techniques,” Kaspersky mentioned, detailing a brand new marketing campaign that started in June 2024 and continued no less than till August.
The Russian cybersecurity firm mentioned the marketing campaign primarily focused Russian authorities businesses, their contractors, and industrial enterprises.
Awaken Likho, additionally tracked as Core Werewolf and PseudoGamaredon, was first documented by BI.ZONE in June 2023 in reference to cyber assaults directed towards protection and demanding infrastructure sectors. The group is believed to be energetic since no less than August 2021.
The spear-phishing assaults contain distributing malicious executables disguised as Microsoft Phrase or PDF paperwork by assigning them double extensions like “doc.exe,” “.docx.exe,” or “.pdf.exe,” in order that solely the .docx and .pdf parts of the extension present up for customers.
Opening these information, nonetheless, has been discovered to set off the set up of UltraVNC, thereby permitting the menace actors to achieve full management of the compromised hosts.
Different assaults mounted by Core Werewolf have additionally singled out a Russian army base in Armenia in addition to a Russian analysis institute engaged in weapons growth, per findings from F.A.C.C.T. earlier this Might.
One notable change noticed in these situations issues using a self-extracting archive (SFX) to facilitate the covert set up of UltraVNC whereas displaying an innocuous lure doc to the targets.
The most recent assault chain found by Kaspersky additionally depends on an SFX archive file created utilizing 7-Zip that, when opened, triggers the execution of a file named “MicrosoftStores.exe,” which then unpacks an AutoIt script to finally run the open-source MeshAgent distant administration instrument.
“These actions enable the APT to persist within the system: the attackers create a scheduled job that runs a command file, which, in flip, launches MeshAgent to ascertain a reference to the MeshCentral server,” Kaspersky mentioned.