Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering

Kyiv Cyber Defenders Spot Open-Source RAT in Phishing Emails

Threat Actor Coaxes Users Into Downloading MerlinAgent
Kyiv Cyber Defenders Spot Open-Source RAT in Phishing Emails
Image: MerlinAgent

Hackers attempting to spy on the Ukrainian government are using an open-source remote access Trojan, said Kyiv cyber defenders.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

The Computer Emergency Response Team of Ukraine said in a Saturday alert that hackers from a threat actor it tracks as UAC-0154 had spoofed the CERT-UA in phishing emails with the subject line "CERT-UA recommendations on MS Office program settings."

These phishing mails come with a .chm file - a compressed HTML document in a proprietary Microsoft format primarily used in software documentation. The file executes JavaScript code that uses a PowerShell script that downloads an executable MerlinAgent, the open-source RAT.

Close observers of the conflict in Ukraine sparked by Russia's February 2022 invasion of its European neighbor have said Kremlin hackers are primarily focused on espionage. Ukraine is currently weeks into a counteroffensive against Russian positions in its eastern provinces (see: Russian Hackers Focused on Espionage, Not System Destruction).

MerlinAgent, available on GitHub, was a project developed by penetration tester Russel Van Tuyl, who said he had programmed it after writing a Sans Institute dissertation about web application attacks over the HTTP/2 protocol.

Van Tuyl programmed Merlin in the GoLang programming language. "This means we can use a single code base and put agents on most any machine we encounter, having them all call back to whatever platform we decide to run the listening post (vs only being able to put agents on Windows, or only being able to run listening posts on Linux)," a security blogger using the name Action Dan wrote in 2018.

Merlin's advanced logging features are useful for capturing details after an operation has concluded, the blogger said.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.