Ukraine is warning of a wave of assaults concentrating on state organizations utilizing ‘Merlin,’ an open-source post-exploitation and command and management framework.
Merlin is a Go-based cross-platform post-exploitation toolkit obtainable without spending a dime by way of GitHub, providing intensive documentation for safety professionals to make use of in crimson staff workout routines.
It presents a variety of options, permitting crimson teamers (and attackers) to acquire a foothold on a compromised community.
- Assist for HTTP/1.1 over TLS and HTTP/3 (HTTP/2 over QUIC) for C2 communication.
- PBES2 (RFC 2898) and AES Key Wrap (RFC 3394) for agent visitors encryption.
- OPAQUE Uneven Password Authenticated Key Alternate (PAKE) & Encrypted JWT for safe consumer authentication.
- Assist for CreateThread, CreateRemoteThread, RtlCreateUserThread, and QueueUserAPC shellcode execution methods.
- Area fronting for bypassing community filtering.
- Built-in Donut, sRDI, and SharpGen help.
- Dynamic change within the agent’s JA3 hash & C2 visitors message padding for evading detection.
Nevertheless, as we noticed with Sliver, Merlin is now being abused by menace actors who use it to energy their very own assaults and unfold laterally by compromised networks.
CERT-UA studies that it detected it in assaults that began with the arrival of a phishing e mail that impersonated the company (sender deal with: cert-ua@ukr.web) and supposedly offered the recipients with directions on how one can harden their MS Workplace suite.
Supply: CERT-UA
The emails carry a CHM file attachment that, if opened, executes JavaScript code which in flip runs a PowerShell script that fetches, decrypts, and decompresses a GZIP archive that accommodates the executable “ctlhost.exe.”
If the recipient runs this executable, their laptop will get contaminated by MerlinAgent, giving the menace actors entry to their machine, information, and a foothold to maneuver laterally within the community.
Supply: CERT-UA
CERT-UA has assigned this malicious exercise the distinctive identifier UAC-0154, and the primary assaults had been recorded on July 10, 2023, when the menace actors used a “UAV coaching” bait of their emails.
Utilizing open-source instruments like Merlin to assault authorities businesses or different vital organizations makes attribution tougher, leaving fewer distinct traces that may be linked to particular menace actors.
