Analyzing the Awaken Likho APT group implant: new tools and techniques

Oct. 7, 2024, 1:03 p.m.

Description

A new campaign by the Awaken Likho APT group targeting Russian government agencies and industrial enterprises was discovered in June 2024. The group has significantly changed its attack methods, now preferring the MeshCentral platform agent instead of UltraVNC for remote access. The implant is delivered via malicious URLs, likely through phishing emails. The new implant uses a self-extracting archive containing multiple files, including a MeshAgent executable and various command scripts. These components work together to establish persistence and maintain connection with the attackers' command and control server. The group's focus remains on Russian targets, and their tactics continue to evolve.

External References

https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/
https://otx.alienvault.com/pulse/6703bc09b46943e97249f1e4
Tags
apt
phishing
meshagent
meshcentral
2024-10-07

Date

  • Created: Oct. 7, 2024, 10:46 a.m.
  • Published: Oct. 7, 2024, 10:46 a.m.
  • Modified: Oct. 7, 2024, 1:03 p.m.

Attack Patterns

  • MeshAgent
  • Awaken Likho
  • T1036.004
  • T1053.005
  • T1059.003
  • T1571
  • T1070.004
  • T1105
  • T1204
  • T1566

Additional Informations

  • Industrial
  • Government
  • Russian Federation