More advanced tools have been utilized by advanced persistent threat operation Awaken Likho, also known as PseudoGamaredon and Core Werewolf, in intrusions against Russian government agencies and their contractors, as well as the country's industrial organizations in an attack campaign that ran from June to August, The Hacker News reports.
Awaken Likho's new intrusions involved the stealthy deployment of UltraVNC for breached host takeovers through a 7-Zip-based self-extracting archive file that executes an AutoIT script-unpacking file before launching the MeshAgent remote management tool, which is a change from the group's previous attacks that mostly entailed the distribution of UltraVNC via Microsoft Word and PDF document-spoofing executables, a report from Kaspersky revealed. "These actions allow the APT to persist in the system: the attackers create a scheduled task that runs a command file, which, in turn, launches MeshAgent to establish a connection with the MeshCentral server," said Kaspersky.