CheckMesh: Hidden Threats in Your FW

Aug. 5, 2024, 9:05 a.m.

Description

This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the attacker's Command and Control (C2) server, granting persistent access and allowing the firewall to be transformed into a stealthy C2 node. The analysis reveals tactics, techniques, and procedures (TTPs) consistent with the LilacSquid APT group, including initial exploitation, credential theft, lateral movement, and the use of advanced stealth mechanisms. The report provides technical details, forensic analysis, and recommendations for incident response and mitigation.

External References

https://hackerseye.net/all-blog-items/checkmesh
https://otx.alienvault.com/pulse/66b090cdcc6b1efeb7afc7b9
Tags
credential theft
lateral movement
2024-08-05
meshagent
encrypted communication
advanced persistent threat
firewall compromise

Date

  • Created: Aug. 5, 2024, 8:43 a.m.
  • Published: Aug. 5, 2024, 8:43 a.m.
  • Modified: Aug. 5, 2024, 9:05 a.m.

Indicators

  • MeshAgent_Config
  • MeshAgent_ELF
  • 460acbb38b0bdb3d227de65010b1a323f448ec196860ce4979c0b8314763eb56
  • 3840acb15880f6cb0a77347d4a3893c5a3fbfcc2167bd5e3f86e2ce0f7cdbf19
  • 1134af27bea8518c62444a56f4bd4bcc95db40a9bb6132688cf31515da08b9aa
  • 78.141.238.182
  • http://api.gupdate.net:443/agent.ashx
  • api.gupdate.net
  • gupdate.net
Download all indicators here!

Attack Patterns

  • MeshAgent
  • LilacSquid

Additional Informations

  • Israel