Cyber Security Threat Summary:
The Government Computer Emergency Response Team of Ukraine (CERT-UA) recently published an advisory warning against attacks targeting state organizations using Merlin, an open-source post-exploitation and command and control framework. Merlin was developed in the Go programming language and is available for free on GitHub. The toolkit is typically used by security professionals in red team exercises and offers several features including:
- Support for HTTP/1.1 over TLS and HTTP/3 (HTTP/2 over QUIC) for C2 communication.
- PBES2 (RFC 2898) and AES Key Wrap (RFC 3394) for agent traffic encryption.
- OPAQUE Asymmetric Password Authenticated Key Exchange (PAKE) & Encrypted JWT for secure user authentication.
- Support for CreateThread, CreateRemoteThread, RtlCreateUserThread, and QueueUserAPC shellcode execution techniques.
- Domain fronting for bypassing network filtering.
- Integrated Donut, sRDI, and SharpGen support.
- Dynamic change in the agent's JA3 hash & C2 traffic message padding for evading detection.
- Do not open emails or download software from untrusted sources
- Do not click on links or attachments in emails that come from unknown senders
- Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
- Always verify the email sender's email address, name, and domain
- Backup important files frequently and store them separately from the main system
- Protect devices using antivirus, anti-spam and anti-spyware software
- Report phishing emails to the appropriate security or I.T. staff immediately