Hackers use open source Merlin post-exploitation toolkit in attacks

Cyber Security Threat Summary:
The Government Computer Emergency Response Team of Ukraine (CERT-UA) recently published an advisory warning against attacks targeting state organizations using Merlin, an open-source post-exploitation and command and control framework. Merlin was developed in the Go programming language and is available for free on GitHub. The toolkit is typically used by security professionals in red team exercises and offers several features including:

  • Support for HTTP/1.1 over TLS and HTTP/3 (HTTP/2 over QUIC) for C2 communication.
  • PBES2 (RFC 2898) and AES Key Wrap (RFC 3394) for agent traffic encryption.
  • OPAQUE Asymmetric Password Authenticated Key Exchange (PAKE) & Encrypted JWT for secure user authentication.
  • Support for CreateThread, CreateRemoteThread, RtlCreateUserThread, and QueueUserAPC shellcode execution techniques.
  • Domain fronting for bypassing network filtering.
  • Integrated Donut, sRDI, and SharpGen support.
  • Dynamic change in the agent's JA3 hash & C2 traffic message padding for evading detection.
Security Officer Comments:
The latest attacks observed by CERT-UA started off with a phishing email impersonating the agency, with the subject being “CERT-UA recommendations on MS Office program settings,” where recipients would be provided instructions on how to harden their MS Office suite. However, the email contained a CHM file attachment, which if opened, would lead to the execution of JavaScript code designed to run a PowerShell script to further fetch and decompress a GZIP archive containing a malicious executable named “cthost[.]exe.” In this case, the executable, if ran on the victim’s system, would lead to the deployment of MerlinAgent, enabling the threat actors to gain remote access to the device and move laterally across the network. Although attribution to a known threat actor is unclear, CERT-UA has been tracking this activity under the moniker UAC-0154, with the group first being recorded on July 10, 2023, after it was observed targeting a state organization of Ukraine with phishing emails with the “UAV training” subject heading. The use of an open-source tool like MerlinAgent seems to be a tactic employed by threat actors to conceal their identity as its readily available to the public. Furthermore, since Merlin is based in the Go-programming language, this makes detection difficult to detect, as not a lot of antivirus solutions are capable of scanning these large binaries.

Suggested Correction(s):
  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Backup important files frequently and store them separately from the main system
  • Protect devices using antivirus, anti-spam and anti-spyware software
  • Report phishing emails to the appropriate security or I.T. staff immediately