CheckMesh: Hidden Threats in Your FW
Contents
Contents: 1
CheckMesh: Unveiling the Hidden Threats in Your Firewall 4
1. Explaining the breach - The story in a nutshell 5
2. Threat Actor Attribution, TTPs, and Motivation. 6
- Threat Actor Attribution
- Motivation
- Understanding MeshAgent:
- Technical goodies: Dissecting the Attack
- The Initial Clues. 10
3. Following the breadcrumbs 11
4. Technical Analysis: examining the ELF. 13
6. Detection, IOCs, and YARA rules: 19
CheckMesh: Unveiling the Hidden Threats in Your Firewall
At HackersEye, tackling the most complex cybersecurity challenges is a daily routine and cornerstone of our operations. As Israel faces ongoing geopolitical tensions and an escalation in cyber incidents due to the current state of conflict, our team stands at the forefront, defending critical infrastructure against sophisticated and persistent threats.
"Our highly skilled cybersecurity experts specialize in identifying and mitigating advanced persistent threats (APTs), utilizing state-of-the-art tools and methodologies to stay ahead of malicious actors," says Tal Raveh, CEO of HackersEye.
Recently, we encountered an exceptionally advanced cyber-attack …
CheckMesh: Unveiling the Hidden Threats in Your Firewall 4
1. Explaining the breach - The story in a nutshell 5
2. Threat Actor Attribution, TTPs, and Motivation. 6
- Threat Actor Attribution
- Motivation
- Understanding MeshAgent:
- Technical goodies: Dissecting the Attack
- The Initial Clues. 10
3. Following the breadcrumbs 11
4. Technical Analysis: examining the ELF. 13
6. Detection, IOCs, and YARA rules: 19
CheckMesh: Unveiling the Hidden Threats in Your Firewall
At HackersEye, tackling the most complex cybersecurity challenges is a daily routine and cornerstone of our operations. As Israel faces ongoing geopolitical tensions and an escalation in cyber incidents due to the current state of conflict, our team stands at the forefront, defending critical infrastructure against sophisticated and persistent threats.
"Our highly skilled cybersecurity experts specialize in identifying and mitigating advanced persistent threats (APTs), utilizing state-of-the-art tools and methodologies to stay ahead of malicious actors," says Tal Raveh, CEO of HackersEye.
Recently, we encountered an exceptionally advanced cyber-attack …
IoC
1134af27bea8518c62444a56f4bd4bcc95db40a9bb6132688cf31515da08b9aa
277e376f8e521b5127d45da965a5a43d
3840ACB15880F6CB0A77347D4A3893C5A3FBFCC2167BD5E3F86E2CE0F7CDBF19
51.16.51.81
6132688
78.141.238.182
9822820
b1b15e09ea98228203e110456d514327ce6b7438
http://api.gupdate.net
rule MeshAgent_Config
{
meta:
description = "Detects the CheckMesh configuration file"
author = "HackersEye"
date = "2024-07-04"
strings:
$config_string1 = "MeshName=Remote" ascii
$config_string2 = "MeshType=2" ascii
$config_string3 = "MeshID=0x" ascii
$config_string4 = "ServerID=" ascii
$config_string5 = "MeshServer=wss://" ascii
$config_string6 = "\"agent\":\"Agent\"" ascii
$config_string7 = "\"install\":\"Install\"" ascii
$config_string8 = "\"setup\":\"Setup\"" ascii
condition:
filesize < 10KB and
all of ($config_string1, $config_string2, $config_string3, $config_string4, $config_string5) and
any of ($config_string6, $config_string7, $config_string8)
}
rule MeshAgent_ELF
{
meta:
description = "Detects the CheckMesh attack"
author = "HackersEye"
date = "2024-07-04"
strings:
$elf_magic = { 7f 45 4c 46 02 01 01 00 }
$mesh_string1 = "meshcore/KVM/Linux/linux_kvm.c" ascii
$mesh_string2 = "meshcore: %s" ascii
$mesh_string3 = "meshcore/agentcore.c" ascii
$mesh_string4 = "meshagent" ascii
$mesh_string5 = "--meshServiceName=" ascii
$mesh_string6 = "/var/run/meshagent.pid" ascii
condition:
uint32(0) == 0x464c457f and
filesize < 10MB and
all of ($elf_magic, $mesh_string1, $mesh_string2, $mesh_string3, $mesh_string4,
$mesh_string5, $mesh_string6)
}
277e376f8e521b5127d45da965a5a43d
3840ACB15880F6CB0A77347D4A3893C5A3FBFCC2167BD5E3F86E2CE0F7CDBF19
51.16.51.81
6132688
78.141.238.182
9822820
b1b15e09ea98228203e110456d514327ce6b7438
http://api.gupdate.net
rule MeshAgent_Config
{
meta:
description = "Detects the CheckMesh configuration file"
author = "HackersEye"
date = "2024-07-04"
strings:
$config_string1 = "MeshName=Remote" ascii
$config_string2 = "MeshType=2" ascii
$config_string3 = "MeshID=0x" ascii
$config_string4 = "ServerID=" ascii
$config_string5 = "MeshServer=wss://" ascii
$config_string6 = "\"agent\":\"Agent\"" ascii
$config_string7 = "\"install\":\"Install\"" ascii
$config_string8 = "\"setup\":\"Setup\"" ascii
condition:
filesize < 10KB and
all of ($config_string1, $config_string2, $config_string3, $config_string4, $config_string5) and
any of ($config_string6, $config_string7, $config_string8)
}
rule MeshAgent_ELF
{
meta:
description = "Detects the CheckMesh attack"
author = "HackersEye"
date = "2024-07-04"
strings:
$elf_magic = { 7f 45 4c 46 02 01 01 00 }
$mesh_string1 = "meshcore/KVM/Linux/linux_kvm.c" ascii
$mesh_string2 = "meshcore: %s" ascii
$mesh_string3 = "meshcore/agentcore.c" ascii
$mesh_string4 = "meshagent" ascii
$mesh_string5 = "--meshServiceName=" ascii
$mesh_string6 = "/var/run/meshagent.pid" ascii
condition:
uint32(0) == 0x464c457f and
filesize < 10MB and
all of ($elf_magic, $mesh_string1, $mesh_string2, $mesh_string3, $mesh_string4,
$mesh_string5, $mesh_string6)
}