Keypoints
- Targets: Russian government agencies, contractors, and industrial enterprises.
- Attackers switched from UltraVNC to the legitimate MeshCentral agent (MeshAgent) for remote access.
- Delivery: malicious URLs likely from phishing and self-extracting 7‑Zip archives containing UPX-packed binaries.
- First-stage dropper is a compiled AutoIt executable that launches NetworkDrivers.exe and an obfuscated .cmd script.
- Obfuscated batch (nKka9a82kjn8KJHA9.cmd) uses filler text and GOTO labels; deobfuscated, it creates a scheduled task for persistence.
- Persistence: scheduled task MicrosoftEdgeUpdateTaskMachineMS runs EdgeBrowser.cmd which invokes MeshAgent via PowerShell; initial files are deleted to hinder detection.
- IOCs provided include multiple MD5/SHA1/SHA256 hashes, domain kwazindernuren[.]com, IP 38.180.101[.]12, and the task name MicrosoftEdgeUpdateTaskMachineMS.
MITRE Techniques
- [T1219] Remote Access Tools – MeshAgent (the MeshCentral agent) was used for remote access instead of UltraVNC; [‘the attackers used MeshAgent, an agent for the MeshCentral system’]
- [T1566] Phishing – the implant was delivered via malicious URLs likely obtained through phishing emails; [‘the implant was delivered to victims’ devices via a malicious URL, likely obtained through phishing emails’]
- [T1053] Scheduled Task/Job – attackers create a scheduled task named MicrosoftEdgeUpdateTaskMachineMS to launch payloads and maintain persistence; [‘create a scheduled task named MicrosoftEdgeUpdateTaskMachineMS to maintain persistence’]
- [T1059] Command and Scripting Interpreter – an AutoIt script and obfuscated CMD files are used to execute payloads and persistence actions; [‘it contains a compiled AutoIt script… it launches NetworkDrivers.exe and nKka9a82kjn8KJHA9.cmd’]
Indicators of Compromise
- [File hashes] Implant and stages – MD5 603eead3a4dd56a796ea26b1e507a1a3, MD5 deae4a955e1c38aae41bec5e5098f96f, and other hashes (several SHA1/SHA256 items)
- [Filenames] Executables and scripts – NetworkDrivers.exe (MeshAgent), MicrosoftStores.exe (AutoIt dropper), nKka9a82kjn8KJHA9.cmd, EdgeBrowser.cmd
- [Domain] C2/related domain – kwazindernuren[.]com (listed in IOCs)
- [IP address] C2 host – 38.180.101[.]12 (listed in IOCs)
- [Scheduled task name] Persistence indicator – MicrosoftEdgeUpdateTaskMachineMS (task created to run EdgeBrowser.cmd)
The technical infection chain begins with a 7‑Zip self-extracting archive that unpacks several files into a temporary directory and executes MicrosoftStores.exe, a UPX-packed AutoIt binary. That AutoIt executable contains an embedded interpreter and an obfuscated script (identified by the ‘AU3!’ marker) which, after deobfuscation, launches NetworkDrivers.exe (the MeshAgent executable) and an oversized, heavily obfuscated batch file named nKka9a82kjn8KJHA9.cmd to progress the attack.
The batch file uses simple obfuscation (large filler blocks skipped via GOTO labels) but, when deobfuscated, its purpose is clear: it creates a scheduled task named MicrosoftEdgeUpdateTaskMachineMS that runs EdgeBrowser.cmd. EdgeBrowser.cmd then launches NetworkDrivers.exe using PowerShell to connect to the MeshCentral C2; NetworkDrivers.msh (included in the archive and embedded in the binary) holds the MeshName/MeshID/ServerID and the WebSocket C2 address. The operators also delete first-stage artifacts (for example MicrosoftStores.exe) as part of cleanup to complicate detection.
Key artefacts and technical specifics: binaries are UPX-compressed PE32 executables, the AutoIt stage is compiled into the dropper, the obfuscated CMD is ~1+ MB due to filler content, MeshAgent is detected as HEUR:RemoteAdmin.Win32.MeshAgent.gen, and network configuration lives in NetworkDrivers.msh connecting via WebSocket to the MeshCentral server. Hunting and containment should focus on the listed hashes, the domain kwazindernuren[.]com, IP 38.180.101[.]12, suspicious AutoIt executables, and the scheduled task MicrosoftEdgeUpdateTaskMachineMS.
Read more: https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/