Awaken Likho Targets Russian Agencies with MeshCentral Remote Access Tool

 

Awaken Likho, also referred to as Core Werewolf or PseudoGamaredon, is a cyber threat group targeting Russian government agencies and industrial entities. Since June 2024, a new campaign has been observed, where attackers have shifted from using UltraVNC to MeshCentral’s legitimate agent for remote access to compromised systems. The campaign primarily focuses on Russian government contractors and industrial enterprises, as reported by Kaspersky. Spear-phishing is a key method employed by Awaken Likho, with malicious executables disguised as Word or PDF files. 

These files trick victims by using double extensions such as “.doc.exe” or “.pdf.exe,” making them appear like standard document formats. When opened, these files trigger the installation of UltraVNC or, in the new campaign, MeshCentral’s MeshAgent tool, which grants the attackers full control over the compromised system. Awaken Likho’s cyberattacks date back to at least August 2021, first gaining attention through targeting Russia’s defense and critical infrastructure sectors. However, more recently, the group has shifted to using self-extracting archives (SFX) to covertly install UltraVNC, along with presenting decoy documents. 

In its latest campaigns, an SFX archive triggers the execution of a file named “MicrosoftStores.exe,” which unpacks an AutoIt script. This script eventually runs the MeshAgent tool, facilitating ongoing remote control via the MeshCentral server. By creating a scheduled task, Awaken Likho ensures persistence within the infected system. The scheduled task consistently runs the command file, which in turn launches MeshAgent, allowing communication with the MeshCentral server. This tactic gives the attackers access to the system long after the initial breach. Russian cybersecurity company Kaspersky has revealed that the campaign’s primary focus remains within Russian government bodies, contractors, and industrial enterprises. 

Additionally, earlier findings from BI.ZONE in June 2023 indicated that Awaken Likho has targeted sectors including defense and critical infrastructure, emphasizing the group’s intent on penetrating Russia’s most vital industries. A notable attack in May 2023 targeted a Russian military base in Armenia, as well as a research institute involved in weapons development. These actions suggest Awaken Likho’s primary focus on entities involved in Russia’s security and defense sectors, with significant consequences for the country’s critical infrastructure. 

This new chapter in Awaken Likho’s activity signals the group’s evolving tactics and its continued interest in leveraging spear-phishing attacks with more sophisticated tools. By transitioning to the MeshCentral platform, the group showcases its adaptability in maintaining control over systems while evading detection, making it a significant threat to Russian entities in the future.