The military departments in Ukraine have recently come under the hit from a sophisticated phishing endeavor. This clandestine operation utilizes drone manuals as bait to transport a post-exploitation toolkit known as Merlin, written in the Go language - an open-source project. The reason being the massive dependency of the Ukrainian defense machinery on drones or Unmanned Aerial Vehicles (UAVs). As a result, files imitating the appearance of UAV service manuals but carrying embedded malware are making the rounds.
This revelation was brought to light by a group of researchers from Securonix, a cybersecurity firm. Said researchers, Den Iuzvyk, Tim Peck, and Oleg Kolesnikov, disclosed their findings in a report made available to The Hacker News. The operation spearheaded by these ill-intentioned actors goes by the code name STARK#VORTEX, as tracked by Securonix.
The cycle of attack-infection-control under this operation starts with a Microsoft Compiled HTML Help (CHM) file. If accessed, it triggers the execution of a malicious JavaScript nestled inside one of the HTML pages. This action subsequently results in the running of PowerShell code, specifically designed to reach out to a remote server and retrieve an encoded binary.
This binary, a payload based on Windows, is then decoded to extract the Merlin Agent. This agent, upon proper configuration, paves the way for communication with a command-and-control (C2) server. This is executed in the post-exploitation phase, garnering full control over the host.
While the attack cycle can be characterized as rather simplistic, the attackers have resorted to intricate Tactics, Techniques, and Procedures (TTPs), and obfuscation tactics to dodge detection. According to these Securonix researchers, it is the first time that Merlin has been deployed against Ukrainian government sectors. In an earlier revelation in August 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) reported a similar attack strategy involving CHM files serving as camouflage to infect computers with the open-source toolkit. CERT-UA associated these breaches with a threat actor it tracks under the identifier UAC-0154.
Highlighting the potency of the file and documents involved, the researchers pinpointed that they possess high capabilities of routing around defenses. They said, "Typically receiving a Microsoft help file over the internet would be considered unusual. However, the attackers framed the lure documents to appear as something an unsuspecting victim might expect to appear in a help-themed document or file."
This threat disclosure came on the heels of an announcement from CERT-UA about an unsuccessful cyber-attack attempt geared towards a critical energy infrastructure facility in Ukraine. This strike was potentially orchestrated by the Russian state-sponsored crew known as APT28.
At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.