MeshAgent

Over 100 Ukrainian state and local government computers have been compromised by the MeshAgent malware in a phishing campaign that exploited the confidence in the Security Service of Ukraine (SBU).

The attack involved emails that appeared to come from the SBU, containing a link to download a file labeled 'Documents.zip.'

However, clicking the link downloaded a Microsoft Software Installer (MSI) file instead, such as 'Scan_docs#40562153.msi.' Opening this MSI file triggered the installation of ANONVNC, also known as MeshAgent malware, potentially allowing attackers covert and unauthorized access to the compromised systems.

The Attackers May Have Exploited an Open-Source Tool

The ANONVNC malware, as analyzed by security researchers, features a configuration file that closely resembles that of the MeshAgent software tool.

MeshAgent is primarily a remote management tool designed to work with the open-source platform MeshCentral. It upholds various operating systems, including Windows, Linux, macOS, and FreeBSD. While MeshAgent itself is not inherently malicious, cybercriminals have been exploiting it to create backdoors on compromised endpoints, enabling remote access via tools like VNC, RDP, or SSH.

Recently, security researchers have observed an increase in the misuse of MeshAgent by attackers to maintain persistence on compromised systems and execute remote commands.

Why Cybercriminals Hijacked the MeshAgent Tool?

• Seamless Connection: After installation, MeshCentral automatically establishes connections with endpoints without needing any user interaction.
• Unauthorized Access: MeshCentral can access MeshAgent either directly or through Remote Desktop Protocol (RDP), bypassing the need for permission from the endpoint.
• System Control: It has the capability to wake up, restart, or shut down endpoints remotely.
• Command and Control: MeshCentral functions as a command server, allowing it to execute shell commands and transfer files on the endpoint without the user's awareness.
• Undetectable Operations: Actions performed by MeshCentral operate under the NT AUTHORITY\SYSTEM account, which helps them blend in with normal background processes.
• Unique File Hashes: Each instance of MeshAgent is uniquely generated, which makes it difficult to detect through file hashes alone.
• Phishing and Firewall Evasion: Attackers frequently distribute MeshAgent via phishing emails. Its use of common ports like 80 and 443 for communication increases the chances of evading detection by firewalls.

Experts Warn about the Possibility of a Bigger Threatening Campaign

Researchers believe that this latest campaign began in July 2024 and might extend beyond Ukraine's borders. Analysis of the pCloud file storage service has uncovered over a thousand EXE and MSI files uploaded since August 1, some of which may be associated with this broader campaign.

On August 6, Ukraine launched a surprise attack in the Kursk region. For the first time, a senior military commander publicly confirmed that Kyiv's forces now control over 1,000 square kilometers (about 386 square miles) of Russian territory.

The recent phishing campaign, which deployed backdoor malware on government computer systems, coincided with this significant Ukrainian offensive. However, Kyiv has not directly attributed these targeted attacks to Russia or its cyber operations. Instead, the campaign has been linked to a threat actor identified as UAC-0198.

Previously, Russian hackers have used similar tactics, leveraging legitimate remote monitoring and management (RMM) software to spy on Ukraine and its allies. They concealed malicious scripts needed to download and execute the RMM software within the legitimate Python code of Microsoft's 'Minesweeper' game.