Introduction
In July 2021, a campaign was launched primarily targeting Russian government agencies and industrial enterprises. Shortly after the campaign started, we began tracking it, and published three reports in August and September 2024 through our threat research subscription on the threat actor we named Awaken Likho (also named by other vendors as Core Werewolf).
While investigating the activity of this APT group, we discovered a new campaign that began in June 2024 and continued at least until August. Analysis of the campaign revealed that the attackers had significantly changed the software they used in their attacks. The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems. The group remains focused on targeting Russian government organizations and enterprises.
Technical details
During the investigation, using our Yara rules, we identified a new implant that we hadn’t seen previously in this group’s arsenal. Based on our telemetry, we concluded that the implant was delivered to victims’ devices via a malicious URL, likely obtained through phishing emails. Awaken Likho operators typically use search engines to gather as much information as possible about their victims and prepare convincing messages. We weren’t able to obtain the original phishing emails used to distribute this implant, but email attachments in previous campaigns included self-extracting archives (SFX) and links to malicious modules. In addition, previous attacks used Golang droppers to deliver malware – we didn’t find evidence of this in the current activity. However, the main difference in the implant we analyzed lies in a new method of gaining and maintaining control over the infected machine. For several years, we observed the use of the UltraVNC module to gain remote acces ..
Support the originator by clicking the read the rest link below.
