Ukraine is warning of a wave of assaults concentrating on state organizations utilizing ‘Merlin,’ an open-source post-exploitation and command and management framework.
Merlin is a Go-based cross-platform post-exploitation toolkit out there free of charge through GitHub, providing intensive documentation for safety professionals to make use of in pink crew workouts.
It affords a variety of options, permitting pink teamers (and attackers) to acquire a foothold on a compromised community.
- Help for HTTP/1.1 over TLS and HTTP/3 (HTTP/2 over QUIC) for C2 communication.
- PBES2 (RFC 2898) and AES Key Wrap (RFC 3394) for agent site visitors encryption.
- OPAQUE Uneven Password Authenticated Key Change (PAKE) & Encrypted JWT for safe consumer authentication.
- Help for CreateThread, CreateRemoteThread, RtlCreateUserThread, and QueueUserAPC shellcode execution methods.
- Area fronting for bypassing community filtering.
- Built-in Donut, sRDI, and SharpGen help.
- Dynamic change within the agent’s JA3 hash & C2 site visitors message padding for evading detection.
Nevertheless, as we noticed with Sliver, Merlin is now being abused by risk actors who use it to energy their very own assaults and unfold laterally by way of compromised networks.
CERT-UA experiences that it detected it in assaults that began with the arrival of a phishing e-mail that impersonated the company (sender deal with: cert-ua@ukr.web) and supposedly supplied the recipients with directions on harden their MS Workplace suite.
Supply:Â CERT-UA
The emails carry a CHM file attachment that, if opened, executes JavaScript code which in flip runs a PowerShell script that fetches, decrypts, and decompresses a GZIP archive that accommodates the executable “ctlhost.exe.”
If the recipient runs this executable, their laptop will get contaminated by MerlinAgent, giving the risk actors entry to their machine, knowledge, and a foothold to maneuver laterally within the community.
Supply:Â CERT-UA
CERT-UA has assigned this malicious exercise the distinctive identifier UAC-0154, and the primary assaults had been recorded on July 10, 2023, when the risk actors used a “UAV coaching” bait of their emails.
Utilizing open-source instruments like Merlin to assault authorities companies or different vital organizations makes attribution tougher, leaving fewer distinct traces that may be linked to particular risk actors.
