Today > | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

CheckMesh: Hidden Threats in Your FW

Aug. 5, 2024, 9:05 a.m.

Description

This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the attacker's Command and Control (C2) server, granting persistent access and allowing the firewall to be transformed into a stealthy C2 node. The analysis reveals tactics, techniques, and procedures (TTPs) consistent with the LilacSquid APT group, including initial exploitation, credential theft, lateral movement, and the use of advanced stealth mechanisms. The report provides technical details, forensic analysis, and recommendations for incident response and mitigation.

Date

Published: Aug. 5, 2024, 8:43 a.m.

Created: Aug. 5, 2024, 8:43 a.m.

Modified: Aug. 5, 2024, 9:05 a.m.

Indicators

MeshAgent_Config

MeshAgent_ELF

460acbb38b0bdb3d227de65010b1a323f448ec196860ce4979c0b8314763eb56

3840acb15880f6cb0a77347d4a3893c5a3fbfcc2167bd5e3f86e2ce0f7cdbf19

1134af27bea8518c62444a56f4bd4bcc95db40a9bb6132688cf31515da08b9aa

78.141.238.182

http://api.gupdate.net:443/agent.ashx

api.gupdate.net

gupdate.net

Attack Patterns

MeshAgent

LilacSquid

T1216

T1211

T1087

T1127

T1005

T1021

T1070

T1547

T1518

T1082

T1083

T1543

T1219

T1132

T1027

T1053

T1190

T1078

T1068

T1059

Additional Informations

Israel