Ukraine's Computer Emergency Response Team (CERT-UA) has warned of a new wave of cyber-attacks targeting state organizations. Threat actors were discovered using Merlin, an open-source post-exploitation tool, to carry out attacks and lateral movement within compromised networks.
Merlin, a Go-based cross-platform post-exploitation toolkit freely available on GitHub, is well-equipped with features designed to help cybersecurity experts in red team exercises. Despite its noble intentions, Merlin has now been weaponized by malicious actors.
Key Features of Merlin:
HTTP/1.1 clear-text
, HTTP/1.1 over TLS
, HTTP/2
, HTTP/2 clear-text (h2c)
, HTTP/3 (HTTP/2 over QUIC)
execute-pe
execute-assembly
or in-process with invoke-assembly
CreateThread
, CreateRemoteThread
, QueueUserAPC
, RtlCreateUserThread
CERT-UA reports detecting Merlin in attacks correlated with an email phishing campaign impersonating the agency. The attackers used an email address (cert-ua@ukr[.]net) and sent rogue emails offering to teach recipients how to strengthen their Microsoft Office suite.
These emails contained a malicious CHM file attachment that, when opened, executed JavaScript code running a PowerShell script.
The script then fetched, decrypted and extracted a GZIP archive containing the ctlhost.exe
executable. Victims who then execute it would unwittingly plant MerlinAgent
on their device, granting threat actors access and lateral movement capability.
CERT-UA has assigned the activity the UAC-0154 identifier, and the security advisory includes a comprehensive list of Indicators of Compromise (IoC) such as file lists, hashes, domains, IP addresses and hosts.
As Merlin is an open-source tool available to most anyone, pinpointing the attack to a specific known threat actor is daunting for authorities. The situation raises critical questions about the responsibility and ethical considerations surrounding open-source cybersecurity tools.
Ukraine's government and international partners continue to monitor the situation and urge citizens and organizations to follow cybersecurity best practices and remain vigilant.
Individuals and organizations are encouraged to refer to the official CERT-UA security advisory for a complete list of IoCs and additional information.
Specialized software like Bitdefender Ultimate Security can protect you from Merlin attacks and other cyberthreats with features such as:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsDecember 19, 2024
November 14, 2024