The Awaken Likho APT group launched a brand new marketing campaign in June of 2024 with the intention of focusing on Russian authorities businesses and companies by focusing on them.
The group has deserted its earlier use of the UltraVNC module for distant entry and adopted the MeshCentral agent as an alternative, which highlights its adaptability and steady efforts to evade detection and keep its operations.
The newly recognized implant, detected in September 2024, displays a major departure from the group’s earlier techniques.
Whereas the implant was seemingly delivered through phishing emails, it deviates from the everyday use of Golang droppers and self-extracting archives.
Analyse Any Suspicious Hyperlinks Utilizing ANY.RUN’s New Protected Looking Software: Attempt for Free
It makes use of MeshAgent, an open-source distant system administration resolution, to determine and keep management over contaminated programs, marking a shift from the beforehand used UltraVNC module, which was first noticed in August 2024.
The evaluation revealed that the implant is distributed in a self-extracting archive full of UPX and created utilizing 7-Zip.
The archive accommodates a number of information, together with a CMD file with a randomly generated title and a compiled AutoIt script.
The place the CMD file is used to launch NetworkDrivers.exe and nKka9a82kjn8KJHA9.cmd, making certain persistence within the system.
After being deobfuscated, the AutoIt script was discovered to be accountable for launching these executables with particular parameters.
The attackers initially launched a authentic distant administration instrument, NetworkDrivers.exe, to determine a foothold within the sufferer’s system.
Subsequently, they executed a closely obfuscated batch file, nKka9a82kjn8KJHA9.cmd, which created a scheduled process named MicrosoftEdgeUpdateTaskMachineMS.
It was designed to run a malicious script, EdgeBrowser.cmd, after which delete incriminating information like MicrosoftStores.exe, thereby hindering detection and evaluation of the assault.
Additionally they leveraged a authentic MeshCentral platform to determine a persistent presence on the compromised system by making a scheduled process that executed a malicious command file, which in flip launched the MeshAgent agent.
This agent, configured with particular parameters to connect with the C2 server, facilitated communication and management over the contaminated system.
The attackers’ use of MeshCentral allowed them to work together with the compromised system remotely and doubtlessly execute additional malicious actions.
In accordance with Safe Record, the APT group Awaken Likho, recognized for its elevated exercise for the reason that Russo-Ukrainian battle, has not too long ago executed a cyberattack focusing on Russian authorities businesses, contractors, and industrial enterprises.
The analyzed implant, a more moderen model of their malware, signifies their ongoing improvement and potential for future assaults and underscores the necessity for sturdy cybersecurity options to safeguard company assets towards evolving threats.
Methods to Defend Web sites & APIs from Malware Assault => Free Webinar