The Advanced Persistent Threat (APT) group Awaken Likho, also known as Core Werewolf, has unveiled a new wave of cyberattacks aimed at Russian government agencies and industrial enterprises. Since 2021, this group, closely monitored by security researchers, recently altered its methods, transitioning from the UltraVNC module to MeshCentral’s MeshAgent, a legitimate remote device management tool.
The campaign, which began in June 2024 and persisted until at least August, demonstrated significant change in the group’s strategy. Historically, Awaken Likho relied on UltraVNC to gain remote access to compromised systems.
However, investigators observed the group’s shift to MeshCentral, an open-source remote device management platform. The legitimate use of the case of MeshCentral — remote device management for organisations — provides the attackers with a more discreet and sophisticated means to infiltrate their targets.
According to telemetry gathered during the investigation, the APT group delivered its payload through phishing emails. Although the original emails weren’t obtained, previous campaigns leveraged self-extracting archives (SFX) and links to malicious modules.
This time, a new implant was detected in September 2024, which showed the group’s focus on persistent access and evasion.
A technical analysis of the attack revealed that the implant is packed using UPX and distributed in an SFX archive created with 7-zip. The archive contains five files, four of which masquerade as legitimate system services, while the fifth—a CMD file—ensures persistence.
Upon extraction, the implant triggers the execution of a file named MicrosoftStores.exe, which contains an AutoIt script responsible for launching subsequent malware components.
One of the key components is NetworkDrivers.exe, identified as MeshAgent, which facilitates communication with the attackers’ command-and-control (C2) server through the MeshCentral platform. This allows the attackers to maintain remote access while blending in with normal network traffic.
Further investigation uncovered a heavily obfuscated command file, nKka9a82kjn8KJHA9.cmd, which establishes a scheduled task — MicrosoftEdgeUpdateTaskMachineMS. This task creates a backdoor by regularly running EdgeBrowser.cmd, a script that launches MeshAgent and connects to the C2 server.
The complex layering of tasks and scripts ensures that the other can continue to function undetected even if one component is detected or removed.
The campaign primarily targeted Russian government organisations, contractors, and industrial enterprises, marking a continued focus on critical infrastructure. The shift to MeshCentral is a noteworthy evolution in the group’s tactic, allowing them to evade detection more effectively while maintaining long-term access to infected systems.
Researchers discovered that Awaken Likho’s operations have surged since the onset of the Russo-Ukrainian conflict, and the group shows no signs of slowing down. When they observed fresh implants in August 2024, they discovered this was not a one-off attack but part of an ongoing campaign likely to evolve further.
In the News:New Mac Pro, Mini, iMac, and iPad Mini to release on November 1
