Cyber Security News

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with the intention of targeting Russian government agencies and businesses by targeting them.

The group has abandoned its previous use of the UltraVNC module for remote access and adopted the MeshCentral agent instead, which highlights its adaptability and continuous efforts to evade detection and maintain its operations.

The newly identified implant, detected in September 2024, exhibits a significant departure from the group’s previous tactics.

While the implant was likely delivered via phishing emails, it deviates from the typical use of Golang droppers and self-extracting archives.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

It utilizes MeshAgent, an open-source remote device management solution, to establish and maintain control over infected systems, marking a shift from the previously used UltraVNC module, which was first observed in August 2024.

Implant archive contents

The analysis revealed that the implant is distributed in a self-extracting archive packed with UPX and created using 7-Zip.

The archive contains several files, including a CMD file with a randomly generated name and a compiled AutoIt script. 

Where the CMD file is used to launch NetworkDrivers.exe and nKka9a82kjn8KJHA9.cmd, ensuring persistence in the system.

After being deobfuscated, the AutoIt script was found to be responsible for launching these executables with specific parameters.

Extracted AutoIt script

The attackers initially launched a legitimate remote administration tool, NetworkDrivers.exe, to establish a foothold in the victim’s system.

Subsequently, they executed a heavily obfuscated batch file, nKka9a82kjn8KJHA9.cmd, which created a scheduled task named MicrosoftEdgeUpdateTaskMachineMS. 

It was designed to run a malicious script, EdgeBrowser.cmd, and then delete incriminating files like MicrosoftStores.exe, thereby hindering detection and analysis of the attack.

Part of the obfuscated contents of nKka9a82kjn8KJHA9.cmd

They also leveraged a legitimate MeshCentral platform to establish a persistent presence on the compromised system by creating a scheduled task that executed a malicious command file, which in turn launched the MeshAgent agent. 

This agent, configured with specific parameters to connect to the C2 server, facilitated communication and control over the infected system.

The attackers’ use of MeshCentral allowed them to interact with the compromised device remotely and potentially execute further malicious actions.

MeshCentral platform login interface

According to Secure List, the APT group Awaken Likho, known for its increased activity since the Russo-Ukrainian conflict, has recently executed a cyberattack targeting Russian government agencies, contractors, and industrial enterprises. 

The analyzed implant, a newer version of their malware, indicates their ongoing development and potential for future attacks and underscores the need for robust cybersecurity solutions to safeguard corporate resources against evolving threats.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

Aman Mishra

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

12 hours ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

13 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

14 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

14 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

2 days ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

3 days ago