Article Details
Scrape Timestamp (UTC): 2024-10-08 11:20:36.212
Source: https://thehackernews.com/2024/10/cyberattack-group-awaken-likho-targets.html
Original Article Text
Click to Toggle View
Cyberattack Group 'Awaken Likho' Targets Russian Government with Advanced Tools. Russian government agencies and industrial entities are the target of an ongoing activity cluster dubbed Awaken Likho. "The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems," Kaspersky said, detailing a new campaign that began in June 2024 and continued at least until August. The Russian cybersecurity company said the campaign primarily targeted Russian government agencies, their contractors, and industrial enterprises. Awaken Likho, also tracked as Core Werewolf and PseudoGamaredon, was first documented by BI.ZONE in June 2023 in connection with cyber attacks directed against defense and critical infrastructure sectors. The group is believed to be active since at least August 2021. The spear-phishing attacks involve distributing malicious executables disguised as Microsoft Word or PDF documents by assigning them double extensions like "doc.exe," ".docx.exe," or ".pdf.exe," so that only the .docx and .pdf portions of the extension show up for users. Opening these files, however, has been found to trigger the installation of UltraVNC, thereby allowing the threat actors to gain complete control of the compromised hosts. Other attacks mounted by Core Werewolf have also singled out a Russian military base in Armenia as well as a Russian research institute engaged in weapons development, per findings from F.A.C.C.T. earlier this May. One notable change observed in these instances concerns the use of a self-extracting archive (SFX) to facilitate the covert installation of UltraVNC while displaying an innocuous lure document to the targets. The latest attack chain discovered by Kaspersky also relies on an SFX archive file created using 7-Zip that, when opened, triggers the execution of a file named "MicrosoftStores.exe," which then unpacks an AutoIt script to ultimately run the open-source MeshAgent remote management tool. "These actions allow the APT to persist in the system: the attackers create a scheduled task that runs a command file, which, in turn, launches MeshAgent to establish a connection with the MeshCentral server," Kaspersky said.
Daily Brief Summary
Awaken Likho, also known as Core Werewolf and PseudoGamaredon, has been actively targeting Russian government entities and industrial sectors since at least August 2021.
Recent campaigns, identified by Kaspersky, began in June 2024 and show a shift in tactics, including the use of MeshCentral to replace previously utilized UltraVNC for remote system access.
The attacks predominantly employ spear-phishing methods, where malicious executables camouflaged as legitimate documents (.doc or .pdf) are sent to infiltrate systems.
These attacks often culminate in the installation of remote access tools that grant attackers full control over compromised hosts.
Among targeted entities are Russian military bases, governmental agencies, their contractors, and critical infrastructure providers.
The attackers have innovated by using self-extracting archives to stealthily install malware while presenting a benign document to deceive the target.
Kaspersky reports that MeshAgent is installed via a scheduled command task, resulting in persistent system access connected to an external command and control server.