Analyzing the Awaken Likho APT group implant: new tools and techniques

Oct. 7, 2024, 1:03 p.m.

Tags
apt
phishing
meshagent
meshcentral
2024-10-07
External References
Description

A new campaign by the Awaken Likho APT group targeting Russian government agencies and industrial enterprises was discovered in June 2024. The group has significantly changed its attack methods, now preferring the MeshCentral platform agent instead of UltraVNC for remote access. The implant is delivered via malicious URLs, likely through phishing emails. The new implant uses a self-extracting archive containing multiple files, including a MeshAgent executable and various command scripts. These components work together to establish persistence and maintain connection with the attackers' command and control server. The group's focus remains on Russian targets, and their tactics continue to evolve.

Date

Published: Oct. 7, 2024, 10:46 a.m.

Created: Oct. 7, 2024, 10:46 a.m.

Modified: Oct. 7, 2024, 1:03 p.m.

Attack Patterns

MeshAgent

Awaken Likho

T1036.004

T1053.005

T1059.003

T1571

T1070.004

T1105

T1204

T1566

Additional Informations

Industrial

Government

Russian Federation