CheckMesh: Hidden Threats in Your FW
Aug. 5, 2024, 9:05 a.m.
Tags
External References
Description
This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the attacker's Command and Control (C2) server, granting persistent access and allowing the firewall to be transformed into a stealthy C2 node. The analysis reveals tactics, techniques, and procedures (TTPs) consistent with the LilacSquid APT group, including initial exploitation, credential theft, lateral movement, and the use of advanced stealth mechanisms. The report provides technical details, forensic analysis, and recommendations for incident response and mitigation.
Date
Published: Aug. 5, 2024, 8:43 a.m.
Created: Aug. 5, 2024, 8:43 a.m.
Modified: Aug. 5, 2024, 9:05 a.m.
Indicators
MeshAgent_Config
MeshAgent_ELF
460acbb38b0bdb3d227de65010b1a323f448ec196860ce4979c0b8314763eb56
3840acb15880f6cb0a77347d4a3893c5a3fbfcc2167bd5e3f86e2ce0f7cdbf19
1134af27bea8518c62444a56f4bd4bcc95db40a9bb6132688cf31515da08b9aa
78.141.238.182
http://api.gupdate.net:443/agent.ashx
api.gupdate.net
gupdate.net
Attack Patterns
MeshAgent
LilacSquid
T1216
T1211
T1087
T1127
T1005
T1021
T1070
T1547
T1518
T1082
T1083
T1543
T1219
T1132
T1027
T1053
T1190
T1078
T1068
T1059
Additional Informations
Israel