Cyberattack Group ‘Awaken Likho’ Targets Russian Authorities with Superior Instruments

Oct 08, 2024Ravie LakshmananCyber Menace / APT Assault

Russian authorities businesses and industrial entities are the goal of an ongoing exercise cluster dubbed Awaken Likho.

“The attackers now desire utilizing the agent for the reputable MeshCentral platform as a substitute of the UltraVNC module, which they’d beforehand used to realize distant entry to techniques,” Kaspersky said, detailing a brand new marketing campaign that started in June 2024 and continued no less than till August.

The Russian cybersecurity firm stated the marketing campaign primarily focused Russian authorities businesses, their contractors, and industrial enterprises.

Awaken Likho, additionally tracked as Core Werewolf and PseudoGamaredon, was first documented by BI.ZONE in June 2023 in reference to cyber assaults directed in opposition to protection and significant infrastructure sectors. The group is believed to be energetic since no less than August 2021.

The spear-phishing assaults contain distributing malicious executables disguised as Microsoft Phrase or PDF paperwork by assigning them double extensions like “doc.exe,” “.docx.exe,” or “.pdf.exe,” in order that solely the .docx and .pdf parts of the extension present up for customers.

Opening these recordsdata, nonetheless, has been discovered to set off the set up of UltraVNC, thereby permitting the menace actors to realize full management of the compromised hosts.

Different assaults mounted by Core Werewolf have additionally singled out a Russian navy base in Armenia in addition to a Russian analysis institute engaged in weapons growth, per findings from F.A.C.C.T. earlier this Could.

One notable change noticed in these situations considerations using a self-extracting archive (SFX) to facilitate the covert set up of UltraVNC whereas displaying an innocuous lure doc to the targets.

The most recent assault chain found by Kaspersky additionally depends on an SFX archive file created utilizing 7-Zip that, when opened, triggers the execution of a file named “MicrosoftStores.exe,” which then unpacks an AutoIt script to in the end run the open-source MeshAgent distant administration device.

“These actions permit the APT to persist within the system: the attackers create a scheduled activity that runs a command file, which, in flip, launches MeshAgent to ascertain a reference to the MeshCentral server,” Kaspersky stated.