Ukraine Warns of Attacks Targeting State Organizations Using Open-Source Tool ‘Merlin’

Ukraine's Computer Emergency Response Team (CERT-UA) has warned of a new wave of cyber-attacks targeting state organizations. Threat actors were discovered using Merlin, an open-source post-exploitation tool, to carry out attacks and lateral movement within compromised networks.

Merlin: A Double-Edged Sword

Merlin, a Go-based cross-platform post-exploitation toolkit freely available on GitHub, is well-equipped with features designed to help cybersecurity experts in red team exercises. Despite its noble intentions, Merlin has now been weaponized by malicious actors.

Key Features of Merlin:

• Cross-platform agents and servers: Windows, macOS, Linux, MIPS, ARM and anything that could be built natively by Go
• Domain fronting: bypass network filtering
• Extensive support for C2 protocols: HTTP/1.1 clear-text, HTTP/1.1 over TLS, HTTP/2, HTTP/2 clear-text (h2c), HTTP/3 (HTTP/2 over QUIC)
• C2 traffic message padding: avoid beaconing detection based on fixed message sizes
• Execute Windows executables: running it in a sacrificial process with execute-pe
• Execute .NET assemblies: running them in a sacrificial process with execute-assembly or in-process with invoke-assembly
• Various shellcode execution techniques: CreateThread, CreateRemoteThread, QueueUserAPC, RtlCreateUserThread
• Encryption: OPAQUE Asymmetric Password Authenticated Key Exchange (PAKE) and encrypted JWT for secure user authentication.

Attack Details

CERT-UA reports detecting Merlin in attacks correlated with an email phishing campaign impersonating the agency. The attackers used an email address (cert-ua@ukr[.]net) and sent rogue emails offering to teach recipients how to strengthen their Microsoft Office suite.

These emails contained a malicious CHM file attachment that, when opened, executed JavaScript code running a PowerShell script.

The script then fetched, decrypted and extracted a GZIP archive containing the ctlhost.exe executable. Victims who then execute it would unwittingly plant MerlinAgent on their device, granting threat actors access and lateral movement capability.

CERT-UA has assigned the activity the UAC-0154 identifier, and the security advisory includes a comprehensive list of Indicators of Compromise (IoC) such as file lists, hashes, domains, IP addresses and hosts.

Challenges in Attribution

As Merlin is an open-source tool available to most anyone, pinpointing the attack to a specific known threat actor is daunting for authorities. The situation raises critical questions about the responsibility and ethical considerations surrounding open-source cybersecurity tools.

Ukraine's government and international partners continue to monitor the situation and urge citizens and organizations to follow cybersecurity best practices and remain vigilant.

Individuals and organizations are encouraged to refer to the official CERT-UA security advisory for a complete list of IoCs and additional information.

Specialized software like Bitdefender Ultimate Security can protect you from Merlin attacks and other cyberthreats with features such as:

• Continuous, comprehensive detection and protection against worms, viruses, Trojans, spyware, rootkits, ransomware and other digital threats
• Behavioral detection module that closely monitors active apps, taking instant action upon detecting suspicious activity
• Network threat prevention technology that identifies and blocks suspicious network-level activities, such as sophisticated exploits, malware- and botnet- URLs, and brute-force attacks
• Anti-phishing module that detects rogue websites posing as legitimate ones to steal your data and assets