Kaspersky Lab has reported a significant evolution in the tactics employed by the hacker group Awaken Likho, also known as Core Werewolf. The group has intensified its cyberattacks on Russian government institutions and industrial enterprises, utilizing advanced remote access technologies to breach security defenses.
Shift in Attack Methodology
In a notable departure from their previous strategies, Awaken Likho has transitioned from using the UltraVNC module to leveraging the MeshCentral platform agent for remote access. This tactical shift, observed since June 2024, marks a sophisticated advancement in the group’s operational capabilities.
Kaspersky’s cybersecurity experts have been monitoring Awaken Likho’s activities since 2021, when the group first emerged targeting primarily Russian state institutions and industrial facilities. The recent campaign analysis reveals a significant upgrade in the malware utilized for these attacks.
Technical Analysis of the New Attack Vector
The malware is distributed through a self-extracting archive created using 7-Zip. This archive contains five files, four of which are disguised as legitimate system services and command files. Among these is the MeshAgent file, an agent for the legitimate MeshCentral platform, which now serves as the group’s primary tool for gaining unauthorized remote access.
Notably, this new malware variant lacks the payload-free files observed in previous samples, suggesting that this version is still under active development. Upon opening the archive, the contained files and scripts execute automatically, establishing a foothold in the system and granting the attackers remote access to the target device.
Infection Process and Social Engineering
The initial infection vector appears to be phishing emails containing malicious links. Before launching attacks, Awaken Likho operatives gather extensive information about their targets to craft highly convincing messages, increasing the likelihood of successful compromise.
Implications for Cybersecurity Landscape
Alexey Shulmin, a cybersecurity expert at Kaspersky Lab, notes: “Awaken Likho’s activities have become particularly noticeable since 2022, and the group remains active to this day. Their methods have changed significantly: we’re seeing a new version of malware that uses different remote access technology.”
This evolution in tactics is part of a broader trend. Kaspersky reports a 35% increase in attacks using remote access technologies in Russia during the first eight months of 2024 compared to the same period in 2023. This surge underscores the growing sophistication of cyber threats and the need for enhanced security measures.
As Awaken Likho continues to refine its techniques, cybersecurity professionals anticipate further attacks from this group and potentially other APT groups employing similar tools. Organizations, particularly those in Russia’s government and industrial sectors, must remain vigilant and implement robust cybersecurity protocols to mitigate these evolving threats. Continuous monitoring, employee education on phishing tactics, and regular security audits are crucial steps in maintaining a strong defense against such sophisticated cyber operations.
