Oct 08, 2024Ravie LakshmananCyber Threat / APT Attack

Russian government agencies and industrial entities are the target of an ongoing activity cluster dubbed Awaken Likho.

“The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems,” Kaspersky said, detailing a new campaign that began in June 2024 and continued at least until August.

The Russian cybersecurity company said the campaign primarily targeted Russian government agencies, their contractors, and industrial enterprises.

Awaken Likho, also tracked as Core Werewolf and PseudoGamaredon, was first documented by BI.ZONE in June 2023 in connection with cyber attacks directed against defense and critical infrastructure sectors. The group is believed to be active since at least August 2021.

The spear-phishing attacks involve distributing malicious executables disguised as Microsoft Word or PDF documents by assigning them double extensions like “doc.exe,” “.docx.exe,” or “.pdf.exe,” so that only the .docx and .pdf portions of the extension show up for users.

Opening these files, however, has been found to trigger the installation of UltraVNC, thereby allowing the threat actors to gain complete control of the compromised hosts.

Other attacks mounted by Core Werewolf have also singled out a Russian military base in Armenia as well as a Russian research institute engaged in weapons development, per findings from F.A.C.C.T. earlier this May.

One notable change observed in these instances concerns the use of a self-extracting archive (SFX) to facilitate the covert installation of UltraVNC while displaying an innocuous lure document to the targets.

The latest attack chain discovered by Kaspersky also relies on an SFX archive file created using 7-Zip that, when opened, triggers the execution of a file named “MicrosoftStores.exe,” which then unpacks an AutoIt script to ultimately run the open-source MeshAgent remote management tool.

“These actions allow the APT to persist in the system: the attackers create a scheduled task that runs a command file, which, in turn, launches MeshAgent to establish a connection with the MeshCentral server,” Kaspersky said.