Ukraine is warning of a wave of assaults focusing on state organizations utilizing ‘Merlin,’ an open-source post-exploitation and command and management framework.
Merlin is a Go-based cross-platform post-exploitation toolkit out there without spending a dime by way of GitHub, providing intensive documentation for safety professionals to make use of in crimson group workouts.
It gives a variety of options, permitting crimson teamers (and attackers) to acquire a foothold on a compromised community.
- Help for HTTP/1.1 over TLS and HTTP/3 (HTTP/2 over QUIC) for C2 communication.
- PBES2 (RFC 2898) and AES Key Wrap (RFC 3394) for agent site visitors encryption.
- OPAQUE Uneven Password Authenticated Key Trade (PAKE) & Encrypted JWT for safe person authentication.
- Help for CreateThread, CreateRemoteThread, RtlCreateUserThread, and QueueUserAPC shellcode execution strategies.
- Area fronting for bypassing community filtering.
- Built-in Donut, sRDI, and SharpGen assist.
- Dynamic change within the agent’s JA3 hash & C2 site visitors message padding for evading detection.
Nevertheless, as we noticed with Sliver, Merlin is now being abused by risk actors who use it to energy their very own assaults and unfold laterally by way of compromised networks.
CERT-UA stories that it detected it in assaults that began with the arrival of a phishing e mail that impersonated the company (sender tackle: cert-ua@ukr.web) and supposedly supplied the recipients with directions on find out how to harden their MS Workplace suite.
Supply: CERT-UA
The emails carry a CHM file attachment that, if opened, executes JavaScript code which in flip runs a PowerShell script that fetches, decrypts, and decompresses a GZIP archive that incorporates the executable “ctlhost.exe.”
If the recipient runs this executable, their pc will get contaminated by MerlinAgent, giving the risk actors entry to their machine, information, and a foothold to maneuver laterally within the community.
Supply: CERT-UA
CERT-UA has assigned this malicious exercise the distinctive identifier UAC-0154, and the primary assaults had been recorded on July 10, 2023, when the risk actors used a “UAV coaching” bait of their emails.
Utilizing open-source instruments like Merlin to assault authorities businesses or different essential organizations makes attribution tougher, leaving fewer distinct traces that may be linked to particular risk actors.