Cyberattack Group ‘Awaken Likho’ Targets Russian Government with Advanced Tools

Siva Ramakrishnan
Russian government agencies and industrial entities are the target of an ongoing activity cluster dubbed Awaken Likho. “The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems,” Kaspersky said, detailing a new campaign that began in June 2024 and continued at least until

Russian government agencies and industrial entities are the target of an ongoing activity cluster dubbed Awaken Likho.

“The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems,” Kaspersky said, detailing a new campaign that began in June 2024 and continued at least until August.

The Russian cybersecurity company said the campaign primarily targeted Russian government agencies, their contractors, and industrial enterprises.

Awaken Likho, also tracked as Core Werewolf and PseudoGamaredon, was first documented by BI.ZONE in June 2023 in connection with cyber attacks directed against defense and critical infrastructure sectors. The group is believed to be active since at least August 2021.

The spear-phishing attacks involve distributing malicious executables disguised as Microsoft Word or PDF documents by assigning them double extensions like “doc.exe,” “.docx.exe,” or “.pdf.exe,” so that only the .docx and .pdf portions of the extension show up for users.

Opening these files, however, has been found to trigger the installation of UltraVNC, thereby allowing the threat actors to gain complete control of the compromised hosts.

Other attacks mounted by Core Werewolf have also singled out a Russian military base in Armenia as well as a Russian research institute engaged in weapons development, per findings from F.A.C.C.T. earlier this May.

One notable change observed in these instances concerns the use of a self-extracting archive (SFX) to facilitate the covert installation of UltraVNC while displaying an innocuous lure document to the targets.

The latest attack chain discovered by Kaspersky also relies on an SFX archive file created using 7-Zip that, when opened, triggers the execution of a file named “MicrosoftStores.exe,” which then unpacks an AutoIt script to ultimately run the open-source MeshAgent remote management tool.

“These actions allow the APT to persist in the system: the attackers create a scheduled task that runs a command file, which, in turn, launches MeshAgent to establish a connection with the MeshCentral server,” Kaspersky said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

New Case Study: The Evil Twin Checkout Page

Next Post

Southeast Asian cyber-fraud industry ‘outpacing’ law enforcement with new tools: UN

Related Posts

Dutch DPA Fines Netflix €4.75 Million for GDPR Violations Over Data Transparency

The Dutch Data Protection Authority (DPA) on Wednesday fined video on-demand streaming service Netflix €4.75 million ($4.93 million) for not giving consumers enough information about how it used their data between 2018 and 2020. An investigation launched by the DPA in 2019 found that the tech giant did not inform customers clearly enough in its privacy statement about what it does with the data
Avatar
Read More