Cyberattack Group ‘Awaken Likho’ Targets Russian Government with Advanced Tools
The cyber activity cluster named Awaken Likho is currently targeting Russian government agencies, contractors, and industrial entities. This campaign, which started in June 2024 and continued at least until August 2024, marks a shift in the tools used by the attackers. Instead of the previously employed UltraVNC module, the attackers now utilize the MeshCentral platform, a legitimate remote access tool, for their operations. This change indicates a likely attempt to evade detection by blending in with legitimate administrative tools.
Awaken Likho, also known as Core Werewolf or PseudoGamaredon, has been involved in cyber-attacks against the defense and critical infrastructure sectors since at least August 2021. First documented by BI.ZONE in June 2023, the group has employed spear-phishing techniques to distribute malicious executables disguised as Microsoft Word or PDF documents. They use double extensions, such as “doc.exe”, “.docx.exe”, or “.pdf.exe”, which trick users into believing they are opening safe files, while in reality, they are launching executable malware.
When these deceptive files are opened, they trigger the installation of UltraVNC, a remote access tool, enabling the attackers to gain complete control over the compromised system. Core Werewolf has targeted high-value entities, including a Russian military base in Armenia and a Russian research institute involved in weapons development, according to F.A.C.C.T. in May 2024.
A key modification in their attack strategy has been the use of self-extracting archives (SFX), which allow for the stealthy installation of UltraVNC. While the malware is being installed in the background, the victim sees an innocent lure document, ensuring the process remains covert. The evolution of this technique, along with their shift to MeshCentral in recent campaigns, demonstrates their adaptive capabilities in avoiding detection and increasing the efficiency of their attacks.
TECHNICAL DETAILS:
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-250: Execution with Unnecessary Privileges
- Initial Access via Spear-Phishing:
- The attackers use spear-phishing emails to deliver malicious payloads. These emails often contain executables disguised as legitimate documents.
The executables are named with double extensions like:
-
- doc.exe
- docx.exe
- pdf.exe
- Payload Execution:
- When the user opens the disguised executable, it triggers the installation of UltraVNC, which is a legitimate remote access tool.
- In more recent campaigns, the attackers have shifted from using UltraVNC to the MeshCentral platform for remote access, further complicating detection efforts due to the legitimate nature of MeshCentral.
- Post-Exploitation:
- Remote Control: Once UltraVNC or MeshCentral is installed, the attackers gain full remote control of the compromised system.
- Covert Installation:
- In some cases, the malicious executable is delivered using a self-extracting archive (SFX). This technique installs UltraVNC while simultaneously opening a decoy document (e.g., a Word or PDF file) to avoid arousing suspicion.
- The SFX method ensures that the malicious payload is installed covertly, with the user none the wiser.
- Pivoting to MeshCentral:
- The shift to MeshCentral, a legitimate remote administration platform, represents a key change in their tactics as of mid-2024. MeshCentral allows for secure, encrypted communication and may evade detection more easily compared to traditional remote access tools like UltraVNC.
- MeshCentral also offers more robust remote management capabilities, enabling attackers to control the system, deploy additional malware, or exfiltrate data.
- Targeted Entities:
- Government Agencies, Contractors, and Industrial Entities:
- The group primarily targets Russian entities, including governmental agencies and industrial enterprises.
- Critical Infrastructure: Core Werewolf has been tied to attacks on defense and critical infrastructure sectors.
- Military and Research Facilities: They’ve also singled out highly sensitive targets, including a Russian military base in Armenia and a Russian weapons development research institute.
- Persistence and Lateral Movement:
- Persistence: The attackers likely use remote access tools to maintain long-term persistence on compromised systems. They may add additional persistence mechanisms to ensure they remain undetected over extended periods.
- Lateral Movement: After gaining control of one system, they may pivot within the network, targeting other systems to expand their reach.
- Command and Control (C2):
- The C2 infrastructure has varied depending on the tool in use.
- UltraVNC: The C2 setup for UltraVNC is straightforward, allowing the attacker to directly control the system via VNC.
- MeshCentral: With MeshCentral, attackers can establish secure remote connections and manage multiple machines within the compromised network.
- Evasion Techniques:
- Legitimate Software Abuse: By using UltraVNC and later MeshCentral, both legitimate software products, the attackers can more easily evade detection by security solutions.
- SFX Archives: The use of self-extracting archives (SFX) helps them deploy malware in a stealthy manner while presenting a decoy document to avoid suspicion.
- Attribution:
- The activity cluster is associated with Core Werewolf and also known as PseudoGamaredon, indicating possible overlap or collaboration with other known threat actors. However, precise attribution remains uncertain, and further investigations may be required.
Targeted Entities :
- Government Agencies: Russian governmental organizations are targeted, including high-security divisions.
- Military and Defense Contractors: Entities involved in defense contracts and related critical infrastructure.
- Industrial Enterprises: Includes sectors such as energy, manufacturing, and research, particularly those engaged in sensitive operations.
- Military Bases: Such as the Russian military base in Armenia.
- Research Institutes: Including those involved in weapons development.
IMPACT:
- Data Exfiltration and Espionage
- Impact: The primary goal of the Awaken Likho group is espionage. By gaining remote access to compromised systems via UltraVNC and later MeshCentral, the attackers can steal sensitive information from government agencies, defense contractors, and industrial enterprises.
- Risk: The theft of confidential information could undermine national security, military readiness, and the intellectual property of critical infrastructure organizations.
- Operational Disruption
- Impact: By gaining control over critical systems, the attackers have the potential to disrupt operations. This could involve shutting down systems, tampering with critical processes, or introducing delays in workflows within targeted sectors such as defense, energy, or research.
- Risk: Disruptions in these sectors could have cascading effects, potentially affecting national security, economic stability, and public safety.
- Financial Loss
- Impact: The compromise of systems and the ensuing damage to operations could lead to significant financial losses for the affected organizations. This includes the cost of incident response, remediation, system downtimes, and potentially, reputational damage leading to a loss of business or governmental support.
- Risk: The potential financial impact could run into the millions, especially in high-value sectors like defense contracting and industrial enterprises.
- Increased Attack Surface and Further Exploitation
- Impact: By maintaining persistent access through MeshCentral and previously UltraVNC, the attackers could leverage the compromised systems to expand their foothold within a network. This lateral movement within a network could lead to more widespread infections and compromise of additional systems.
- Risk: A single compromised system could lead to widespread infiltration of the network, increasing the complexity and cost of incident response.
- Intellectual Property Theft
- Impact: The attackers are likely interested in stealing sensitive intellectual property, particularly related to weapons development, military research, and industrial processes. Stolen IP could be sold, shared with competing nations, or used to undermine technological advancements.
- Risk: The theft of intellectual property could lead to a loss of competitive advantage and damage a nation’s military and economic standing.
- Reputational Damage
- Impact: Organizations that fall victim to cyber-espionage campaigns like Awaken Likho could suffer reputational damage, especially if sensitive data or operational failures become public knowledge. This is particularly damaging for governmental agencies and critical infrastructure organizations.
- Risk: A damaged reputation could lead to loss of trust among partners, stakeholders, and the public, making it difficult to secure future contracts or funding.
- Loss of Strategic Advantage
- Impact: In the case of defense and military targets, the loss of sensitive data, plans, or systems could result in a loss of strategic advantage. This could impact national security and military operations by giving adversaries insight into strategic capabilities and weaknesses.
- Risk: In a military context, this could lead to long-term strategic consequences, including the potential compromise of military operations and planning.
- Espionage-Related Legal and Political Consequences
- Impact: The involvement of national agencies and military entities introduces a risk of international tensions, especially if the cyber espionage operations are traced to state-sponsored actors.
- Risk: Escalating tensions between nation-states due to the infiltration of sensitive governmental and defense networks. If this campaign involves espionage on a state level, it could lead to diplomatic fallout and retaliatory actions.
INDICATOR OF COMPROMISE(IOCs):
The Indicators of Compromise (IOCs) for the Awaken Likho (aka Core Werewolf or PseudoGamaredon) campaign are essential for detecting and mitigating the threat. These IOCs include technical artifacts such as malicious file hashes, network indicators, and behavioral signs that can help identify ongoing or past attacks in the targeted environments.
- File-Based IOCs
- Malicious Executables and Double Extensions
- File Names: Look for files with double extensions such as .docx.exe, .pdf.exe, or .xls.exe. These files masquerade as legitimate document files but are executables that trigger malicious actions.
- Self-Extracting Archive (SFX) Files: Malicious SFX files used to covertly install UltraVNC or other malware while displaying a decoy document to the target.
- File Hashes: MD5, SHA-1, and SHA-256 hashes of known malicious executables used by the campaign.
- Remote Access Tools (RATs)
- UltraVNC Executables: Identify UltraVNC binaries or processes if they were not authorized for installation.
- MeshCentral Agent: Detection of the legitimate but exploited MeshCentral agent running on systems where it is not expected.
- Common File Paths:
- Malicious executables or RATs might be dropped into temporary or suspicious directories:
- %TEMP%\UltraVNC\
- %APPDATA%\MeshCentral\
- %LOCALAPPDATA%\Temp\
- Network-Based IOCs
- Command-and-Control (C2) Communication
- IP Addresses and Domains: Identify suspicious IP addresses and domains associated with Awaken Likho C2 infrastructure.
- Encrypted C2 Channels: Look for unusual outbound encrypted traffic, especially if originating from UltraVNC or MeshCentral agents.
- Suspicious Network Traffic
- RAT-Related Network Activity: Unexpected network traffic generated by UltraVNC or MeshCentral, especially connections to IP addresses not whitelisted by the organization.
- High Volume of HTTP/S Traffic: Excessive HTTP/S traffic to suspicious external servers might indicate an ongoing data exfiltration attempt.
- Unusual Remote Access Behavior: Monitor for remote desktop protocols (RDP) or Virtual Network Computing (VNC) activity occurring outside of regular business hours.
- Behavioral IOCs
- Malware Installation Behavior
- Execution of Files with Double Extensions: Monitor for users or systems executing files with hidden or double extensions (.docx.exe, .pdf.exe).
- Unexpected Use of UltraVNC: If UltraVNC is detected running on systems where it was not previously installed or authorized, this is a strong indicator of compromise.
- MeshCentral Usage: Check for the installation of MeshCentral agents on systems where it is not required, particularly if tied to unusual or external network communication.
- Privilege Escalation and Lateral Movement
- Privilege Escalation Attempts: Log events showing attempts to escalate privileges by users or services that typically don’t require elevated permissions.
- Lateral Movement: Unauthorized use of legitimate credentials or services to move laterally within the network, particularly through remote access tools like UltraVNC or MeshCentral.
- File Execution and Persistence
- Autorun Entries: Look for suspicious entries in the Windows Registry, Task Scheduler, or Startup folders that enable persistence for malware or remote access tools.
- Registry Example: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Persistence via Services: Check for newly created or suspicious Windows services related to UltraVNC, MeshCentral, or other remote tools.
- Email-Based IOCs
- Spear-Phishing Emails
- Sender Domains: Identify phishing emails from domains designed to impersonate legitimate ones or newly registered domains linked to the campaign.
- Email Attachments: Look for email attachments with file names that match the malicious patterns, especially those that contain double extensions.
- Phishing URLs
- URLs embedded in phishing emails that direct users to download malicious files or connect to C2 servers.
- Log-Based IOCs
- Windows Event Logs
- Event IDs: Monitor for relevant Windows Event IDs that might indicate execution or installation of UltraVNC, MeshCentral, or other related malicious behavior.
- Event ID 4688: Tracking process creation for unusual executable launches, such as files from the Temp folder.
- Event ID 7045: Service installation event logs, which could indicate the installation of UltraVNC or a persistence mechanism.
- SIEM Alerts
- Configure Security Information and Event Management (SIEM) tools to generate alerts for the identified file-based, network, and behavioral IOCs, especially for suspicious remote access tools, privilege escalation attempts, or suspicious outbound traffic.
RECOMMENDATION
- Enhance Email Security and User Awareness
- Implement Advanced Email Filtering: Use email security solutions with enhanced filtering capabilities to detect and block spear-phishing emails. These solutions should identify malicious attachments (like those using double extensions, e.g., .docx.exe and .pdf.exe) and phishing links.
- User Awareness Training: Conduct regular training sessions to educate employees about phishing tactics, including recognizing suspicious file extensions and the risks associated with opening unexpected attachments.
- Phishing Simulation: Run phishing simulation exercises to test user readiness and identify gaps in awareness.
- File and Attachment Scanning
- Block Executable Attachments: Configure email gateways to block executable files (.exe, .bat, etc.) unless they are absolutely necessary for business operations. Use file type validation to ensure users don’t mistakenly open harmful files.
- Use Sandboxing: Implement sandboxing technology to automatically scan and execute suspicious files in a controlled environment before allowing them onto corporate systems.
- Content Disarm and Reconstruction (CDR): Use CDR tools to sanitize and neutralize malicious code in attachments by reconstructing files without active elements like macros or executables.
- Patch Management and Vulnerability Mitigation
- Apply Security Patches: Ensure that all systems, especially those running Windows, are regularly patched and updated to mitigate known vulnerabilities that could be exploited by attackers.
- Monitor for Vulnerabilities: Use automated tools to regularly scan for and identify security gaps (vulnerabilities like CWE-434 and CWE-269) that attackers might exploit.
- Endpoint Protection: Deploy endpoint detection and response (EDR) solutions to identify and block suspicious behaviors related to malware installation and remote access tools.
- Access Control and Privilege Management
- Least Privilege Principle: Limit user permissions and access rights to the minimum necessary for their job functions. This reduces the impact of compromised accounts and prevents lateral movement.
- Multi-Factor Authentication (MFA): Implement MFA across all systems, especially for privileged accounts and remote access. This ensures that compromised credentials are not sufficient for attackers to gain full control.
- Disable Unnecessary Services: Deactivate remote access tools like UltraVNC and limit the use of legitimate platforms such as MeshCentral to only those users who require them for their roles.
- Remote Access Control
- Monitor Remote Access Tools: Keep close control over the use of remote access tools, like UltraVNC and MeshCentral. Restrict their use to authorized personnel and actively monitor for unauthorized installations or unusual activity.
- Encrypt Remote Access: Ensure that remote access traffic is encrypted and that strong authentication mechanisms are in place for any authorized remote connections.
- Network Segmentation
- Segment Critical Systems: Isolate critical infrastructure systems and sensitive networks from the general IT environment. By segmenting networks, you limit the ability of attackers to move laterally and reach high-value targets like weapons development systems or military facilities.
- Internal Firewalls and Monitoring: Use internal firewalls and network monitoring tools to control traffic between segments and detect anomalous behavior.
- Incident Detection and Response
- Deploy SIEM Solutions: Use Security Information and Event Management (SIEM) systems to correlate and analyze logs for unusual activity that could indicate a breach, such as unexpected remote access tool installations or privilege escalations.
- Endpoint Monitoring: Continuously monitor endpoints for suspicious activity, including the use of self-extracting archives (SFX) and unauthorized remote control sessions.
- Create an Incident Response Plan: Develop and regularly update an incident response plan tailored to targeted attacks like those used by Awaken Likho. This should include procedures for isolating compromised systems, identifying indicators of compromise (IOCs), and notifying stakeholders.
- Threat Intelligence and Proactive Hunting
- Leverage Threat Intelligence Feeds: Subscribe to threat intelligence feeds that provide real-time information on threat actors like Awaken Likho. This helps to identify new tactics, techniques, and procedures (TTPs) used by attackers.
- Proactive Threat Hunting: Actively search for signs of compromise in your environment, particularly for IOCs related to UltraVNC, MeshCentral, and phishing techniques (double extensions, SFX archives).
- IOC Monitoring: Monitor for specific IOCs like unusual remote access sessions, self-extracting archive executions, or connections to suspicious command-and-control servers.
- Backup and Recovery
- Implement Regular Backups: Ensure that critical systems and data are regularly backed up and stored in secure, isolated locations. Regular backups allow organizations to recover from attacks that result in data corruption or system failure.
- Test Backup Integrity: Periodically test the backup process to ensure that the organization can quickly recover in case of an attack.
- Regulatory and Compliance Measures
- Comply with Cybersecurity Frameworks: Follow cybersecurity standards and frameworks such as NIST, ISO 27001, or CIS Controls to ensure that the organization’s cybersecurity practices meet best practices.
- Security Audits and Penetration Testing: Regularly conduct security audits and penetration tests to identify weaknesses and ensure that the defensive posture is adequate.