← Back to Pulse Feed
PULSE DETAIL
This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the attacker's Command and Control (C2) server, granting persistent access and allowing the firewall to be transformed into a stealthy C2 node. The analysis reveals tactics, techniques, and procedures (TTPs) consistent with the LilacSquid APT group, including initial exploitation, credential theft, lateral movement, and the use of advanced stealth mechanisms. The report provides technical details, forensic analysis, and recommendations for incident response and mitigation.
MITRE ATT&CK & Malware Families
Indicators of Compromise (13)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-MD5 | 277e376f8e521b5127d45da965a5a43d | — | 2024-08-05 | |
| FileHash-SHA1 | 91971157c3444b92c8944ea535c86f97c8514103 | — | 2024-08-05 | |
| FileHash-SHA1 | b1b15e09ea98228203e110456d514327ce6b7438 | — | 2024-08-05 | |
| FileHash-SHA256 | 1134af27bea8518c62444a56f4bd4bcc95db40a9bb6132688cf31515da08b9aa | — | 2024-08-05 | |
| FileHash-SHA256 | 3840acb15880f6cb0a77347d4a3893c5a3fbfcc2167bd5e3f86e2ce0f7cdbf19 | — | 2024-08-05 | |
| FileHash-SHA256 | 460acbb38b0bdb3d227de65010b1a323f448ec196860ce4979c0b8314763eb56 | — | 2024-08-05 | |
| URL | http://api.gupdate.net:443/agent.ashx | — | 2024-08-05 | |
| YARA | 9de2abc7621215ff03926d028aae14f988d27009 | — | 2024-08-05 | |
| YARA | f0148c4baf7acedc76d39626e78b51bea40a0ae9 | — | 2024-08-05 | |
| domain | gupdate.net | — | 2024-08-05 | |
| hostname | api.gupdate.net | — | 2024-08-05 | |
| YARA | f0148c4baf7acedc76d39626e78b51bea40a0ae9 | Detects the CheckMesh attack | 2024-08-05 | |
| YARA | 9de2abc7621215ff03926d028aae14f988d27009 | Detects the CheckMesh configuration file | 2024-08-05 |
References (1)