Forums » News and Announcements

Back To Topics

Understanding and threat hunting for RMM software misuse

  • Fazal GR
    • 8 posts
     
    May 20, 2025 6:23 AM EDT

    MeshAgent

    MeshAgent is the client component of MeshCentral, an open source remote device management platform. It relies on a “mesh” (MSH) configuration file containing essential parameters — MeshName, MeshID, ServerID and the command-and-control (C2) address — to connect to the MeshCentral server via the WebSocket protocol.

     

    As a powerful RMM tool, MeshAgent allows operators to control nearly every aspect of a device through the MeshCentral server. This includes viewing all devices within the mesh network, remotely managing desktops, transferring files and gathering detailed software and hardware information.

    In May 2024, Cisco Talos researchers reported a campaign that had been active since at least 2021 allegedly orchestrated by the LilacSquid aka UAT-4820 group. The group leverages MeshAgent for maintaining post-compromise persistence following successful exploitation. Upon execution, MeshAgent connects to its C2 server, conducts initial reconnaissance and downloads or activates additional implants. Attackers obtained MeshAgent using the “bitsadmin” utility and then launched it to establish contact with the C2. In October 2024, another MeshAgent-based campaign was documented — this time attributed to Awaken Likho aka Core Werewolf, a group primarily targeting Russian government entities and enterprises. The campaign is believed to have started in June 2024 and continued through August 2024. While the attackers previously relied on the open source virtual network computing (VNC) utility UltraVNC for remote access, MeshAgent replaced UltraVNC in this latest operation.

    Separately, in April 2024, we released a report detailing the activities of the actor Tur0k aka AdmiralMoks, BabooLock, who offered MeshCentral-based remote access trojan (RAT) malware with information stealing, loader and persistence capabilities via a malware-as-a-service (MaaS) business model.

     

    Detection

    Although MeshAgent installers can be obtained from the official website at the provided link below, the URL rarely is observed in the wild. The availability of source code and official releases in the MeshAgent GitHub software development platform repository allows actors to make subtle modifications and customizations that thwart detection and threat hunting efforts. The current version of the project was 1.1.43 at the time of this report. Despite the higher degree of possible customization compared to other RMM tools and PSA software discussed in this report, there are still opportunities for detection.

     

    Command-line arguments observed during the run

     

    There are two command-line arguments that repeatedly appeared in our observations, although not always simultaneously. The “meshServiceName” argument allows users to choose a custom service name, which threat actors often use to disguise the agent as a benign application. The “installedByUser” argument displays the security identifier of the user who installed the tool.

     

    --meshServiceName=""

     

    --installedByUser=""

     

    The following examples illustrate uses of the above command-line arguments, as observed in real-world scenarios used by threat actors:

     

    --meshServiceName="PDFViewer"

     

    --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"

     

    Artifacts observed during the run

     

    The default installation folder “Mesh Agent” usually is in the “C:\Program Files (x86)\” or “C:\Program Files\” folders. However, it is important to note that in practice, this location rarely is used as provided. Threat actors frequently rename binary code and folders to obscure their presence and hinder detection efforts.

     

    C:\Program Files\Mesh Agent\MeshAgent.exe

     

    There are other artifacts actors often forget when customizing, which can indicate a MeshAgent infection. These include the values of registry keys, as shown in the following list:

     

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Open Source\Mesh Agent

    Also Read: How To Take Screenshots on Windows and Mac