State institutions and industrial enterprises of Russia are the object of permanent activity of the cluster named Wake up there is.
“Attackers now prefer to use the agent for the legitimate MeshCentral platform instead of the UltraVNC module that they previously used to gain remote access to systems,” Kaspersky said. saidwhich details the new campaign, which began in June 2024 and lasted until at least August.
The Russian cyber security company said the campaign primarily targeted Russian government agencies, their contractors and industrial enterprises.
Awaken Likho, also tracked as Core Werewolf and PseudoGamaredon, was documented for the first time BI.ZONE in June 2023 due to cyber attacks targeting the defense and critical infrastructure sectors. The group is believed to be active from at least August 2021.
Phishing attacks involve distributing malicious executable files disguised as Microsoft Word or PDF documents by giving them double extensions such as “doc.exe”, “.docx.exe” or “.pdf.exe”, so that only .docx and Users are shown parts of the .pdf extension.
However, opening these files was found to trigger the installation of UltraVNC, allowing threat actors to gain full control over compromised nodes.
Other attacks by Core Werewolf also targeted a Russian military base in Armenia, as well as a Russian research institute involved in weapons development. findings from FACCT earlier in May.
One notable change observed in these cases concerns the use of a self-extracting archive (SFX) to facilitate the stealth installation of UltraVNC while displaying a harmless decoy document to targets.
The latest attack chain discovered by Kaspersky also relies on an SFX archive file created with 7-Zip that, when opened, runs a file called “MicrosoftStores.exe” that then unzips the AutoIt script for the final open-source run. MeshAgent remote control tool.
“These actions allow APT to remain in the system: the attackers create a scheduled job that runs a batch file, which in turn runs MeshAgent to establish a connection to the MeshCentral server,” Kaspersky said.
