Recently, an incident occurred in which the North Korean hacking group Andariel used the MeshAgent C2 server to spread malware to Korean companies. It is known that Andariel downloaded the MeshAgent C2 server under the name “fav.ico” from an external source and distributed malware such as AndarLoader and ModeLoader to the attack target during the lateral movement.
MeshAgent is a remote management tool that provides a variety of functions such as collecting basic information for remote control, executing commands, offering RDP and VNC functions, along with power and account control. Although Andariel’s abuse of MeshAgent is known for the first time, cyberattacks using MeshAgent C2 servers have occurred frequently. Andariel is also a hacking group that distributes malware by exploiting software installed on attack targets or exploiting vulnerabilities. There are concerns that cyberattacks using MeshAgent will increase in the future.
Detection of Exposed MeshAgent C2 Servers
Since the search engine Criminal IP tags the IP address where the MeshAgent C2 server is installed, we used the tag filter in Asset Search to search for the MeshAgent C2 server.
Search Query: tag: “c2_meshagent”
A total of 2,136 MeshAgent C2 servers were detected, and some of these servers may be traces of malicious installation by attackers for attacks. In addition, there are concerns that cyberattacks using MeshAgent will become more active in the future, so even servers that are not installed for malicious purposes are more likely to become targets of attacks if exposed externally. Exploiting C2 servers not only distributes malicious code, but also enables malicious activities such as DDoS attacks or cryptocurrency mining through botnets, and can lead to information theft and additional attacks that exploit vulnerabilities within the system. In particular, hacking attacks targeting companies can cause financial damage as well as the leakage of personal and important information, and are a factor that undermines the trustworthiness of companies.
The country with the most MeshAgent servers exposed is the United States with 682 servers, followed by Germany and Russia.
Exposed Remote Administration Pages and C2 Servers
In the search results, the IP address hosting the login page of the open-source remote monitoring and management server “MeshCentral” was exposed and confirmed. The fact that the login page of a remote management system is exposed externally means that it is vulnerable to server infiltration and hacking threats for remote control functions. Hackers can use credential stuffing, default passwords, social engineering techniques, or infected software to discover user account information and attempt to access internal systems.
As shown in the screenshot below, it is crucial to take swift action to block external access to exposed remote control systems and allow only authorized access.
In addition to MeshAgent C2 used in this malware distribution attack, C2 servers are also being abused in various cyberattacks. Previously, the CIP blog covered the dark web leak of military documents that exploited the C2 framework and introduced a method for detecting IP addresses that exploit C2 servers to perform malicious network activities. In addition to the queries introduced in the blog, you can use the C2 tag of the Criminal IP below to detect C2 servers that may be exploited for cyberattacks.
Detecting the external exposure of C2 servers installed on the company’s systems and monitoring internal access to the IP addresses of these C2 servers is crucial from a security standpoint. Using tags in Criminal IP queries greatly helps simplify and streamline cybersecurity and response processes.
Criminal IP’s C2 tag can be used from the Pro plan or higher, and in relation to this, you can refer to Chilean Army Documents Leak: Exploiting Cobalt Strike With Rhysida Ransomware.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io)
Related Article(s):