Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with the intention of targeting Russian government agencies and businesses by targeting them.

The group has abandoned its previous use of the UltraVNC module for remote access and adopted the MeshCentral agent instead, which highlights its adaptability and continuous efforts to evade detection and maintain its operations.

The newly identified implant, detected in September 2024, exhibits a significant departure from the group’s previous tactics.

While the implant was likely delivered via phishing emails, it deviates from the typical use of Golang droppers and self-extracting archives.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

It utilizes MeshAgent, an open-source remote device management solution, to establish and maintain control over infected systems, marking a shift from the previously used UltraVNC module, which was first observed in August 2024.

Implant archive contents

The analysis revealed that the implant is distributed in a self-extracting archive packed with UPX and created using 7-Zip.

The archive contains several files, including a CMD file with a randomly generated name and a compiled AutoIt script. 

Where the CMD file is used to launch NetworkDrivers.exe and nKka9a82kjn8KJHA9.cmd, ensuring persistence in the system.

After being deobfuscated, the AutoIt script was found to be responsible for launching these executables with specific parameters.

Extracted AutoIt script

The attackers initially launched a legitimate remote administration tool, NetworkDrivers.exe, to establish a foothold in the victim’s system.

Subsequently, they executed a heavily obfuscated batch file, nKka9a82kjn8KJHA9.cmd, which created a scheduled task named MicrosoftEdgeUpdateTaskMachineMS. 

It was designed to run a malicious script, EdgeBrowser.cmd, and then delete incriminating files like MicrosoftStores.exe, thereby hindering detection and analysis of the attack.

Part of the obfuscated contents of nKka9a82kjn8KJHA9.cmd

They also leveraged a legitimate MeshCentral platform to establish a persistent presence on the compromised system by creating a scheduled task that executed a malicious command file, which in turn launched the MeshAgent agent. 

This agent, configured with specific parameters to connect to the C2 server, facilitated communication and control over the infected system.

The attackers’ use of MeshCentral allowed them to interact with the compromised device remotely and potentially execute further malicious actions.

MeshCentral platform login interface

According to Secure List, the APT group Awaken Likho, known for its increased activity since the Russo-Ukrainian conflict, has recently executed a cyberattack targeting Russian government agencies, contractors, and industrial enterprises. 

The analyzed implant, a newer version of their malware, indicates their ongoing development and potential for future attacks and underscores the need for robust cybersecurity solutions to safeguard corporate resources against evolving threats.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

Aman Mishra

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

15 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

19 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

19 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

22 hours ago