October 8, 2024 at 07:28AM
Russian government agencies and industrial entities are under ongoing cyber attacks by a group named Awaken Likho. Kaspersky reports a new campaign using the MeshCentral platform to gain remote system access since June 2024. The attacks primarily target Russian government agencies, contractors, and industrial enterprises, with spear-phishing tactics distributing malicious executables disguised as legitimate files.
From the meeting notes, it appears that there has been an ongoing cyber threat and APT attack targeting Russian government agencies, their contractors, and industrial enterprises. The attack cluster is identified as Awaken Likho, also known as Core Werewolf and PseudoGamaredon, and has been active since at least August 2021.
The attackers have been using spear-phishing attacks to distribute malicious executables disguised as Microsoft Word or PDF documents, leading to the installation of UltraVNC and allowing the threat actors to gain complete control of compromised hosts.
One notable change in the attack chain involves the use of a self-extracting archive (SFX) to covertly install UltraVNC while displaying an innocuous lure document to targets. This latest attack chain also leverages an SFX archive file created using 7-Zip to trigger the execution of a file named “MicrosoftStores.exe,” which then unpacks an AutoIt script to ultimately run the open-source MeshAgent remote management tool.
Additionally, the attackers have been observed creating scheduled tasks that run a command file, establishing a connection with the MeshCentral server to persist in the system.
These findings were detailed by Kaspersky and F.A.C.C.T., and the attacks have targeted various entities including a Russian military base in Armenia and a Russian research institute engaged in weapons development.
For further updates and exclusive content, the team can follow Kaspersky on Twitter and LinkedIn for more information on these cyber threats and APT attacks.