Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Awaken Likho APT group targets Russian government with a new implant

A threat actor tracked as Awaken Likho is targeting Russian government agencies and industrial entities, reported cybersecurity firm Kaspersky. A recent investigation by Kaspersky researchers into the APT group Awaken Likho (aka Core Werewolf and PseudoGamaredon) uncovered a new campaign from June to August 2024, showing a shift from UltraVNC to the MeshCentral platform for […]

Awaken Likho

A threat actor tracked as Awaken Likho is targeting Russian government agencies and industrial entities, reported cybersecurity firm Kaspersky.

A recent investigation by Kaspersky researchers into the APT group Awaken Likho (aka Core Werewolf and PseudoGamaredon) uncovered a new campaign from June to August 2024, showing a shift from UltraVNC to the MeshCentral platform for remote access. The threat actor continues to target Russian government entities and enterprises.

The experts detected a new implant used by the group, the malware was delivered via phishing to gain remote control over systems, shifting from UltraVNC to MeshAgent. The implant was distributed through malicious URLs in phishing emails, while the attackers used methods like self-extracting archives and Golang droppers in previous campaigns. This campaign highlights the group’s continued efforts to refine their remote access strategies.

Awaken Likho observed using the new implant in September 2024, but the analysis of the telemetry revealed that the attackers began using the malware in August 2024.

The Awaken Likho group is now using a 7-Zip self-extracting archive that displays a decoy document while covertly installing the MeshAgent tool. The attack chain involves an SFX archive that unpacks an AutoIt script and executes “MicrosoftStores.exe,” which then launches the tool MeshAgent. The malicious code maintains persistence by setting up a scheduled task to run MeshAgent, enabling a continuous connection to their MeshCentral server.

“This script launches NetworkDrivers.exe (the MeshAgent agent) using PowerShell to interact with the C2 server.” reads the report. “These actions allow the APT to persist in the system: the attackers create a scheduled task that runs a command file, which, in turn, launches MeshAgent to establish a connection with the MeshCentral server.”

The group Awaken Likho has been active since the onset of the Russo-Ukrainian conflict, the APT has adapted its methods, notably switching from UltraVNC to MeshCentral for remote access. Experts believe the group remains active and is enhancing its operations with new implants. The latest version of their malware has evolved, lacking previous payload-free files and signaling ongoing development. Awaken Likho is expected to continue targeting and infiltrating selected infrastructure in future attacks.

Kaspersky shared Indicators of compromise (IoCs) for the recent attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT)