Ukraine is warning about a new wave of cyberattacks making use of the Merlin open-source tool to perform operations on the compromised networks of various state organizations.
Merlin is a tool used by cybersecurity experts in red team exercises — which is when experts attempt to find vulnerabilities by attacking software so that it can be fixed or patched before criminals take advantage.
It’s available for free on Github, being Go-based and open-source. Like with the Sliver toolkit last year, this software, which was normally used to strengthen cybersecurity, was misappropriated and used to perform lateral movements and attacks within these networks.
As of now, the hackers haven’t been found — due to the open-nature source of the virus, finding a specific origin for the attack is difficult. It could theoretically be from anyone using the software.
The hack began with a phishing email campaign, with hackers posing as officials in the agency using the ert-ua@ukr[.]net email address. The email encourages victims to open a file.
“Opening the mentioned CHM file will execute JavaScript code,” explains Ukraine’s Computer Emergency Response Team (CERT). “Which, in turn, will ensure the launch of a PowerShell script designed to load, decrypt and decompress the GZIP archive “ctlhost.exe.tmp”, which contains the executable file “ctlhost.exe”.”
After executing this file, the victim’s system will be subtly damaged by the Merlin open-source tool and allow the hackers to make further attacks or make lateral movements within your network.
Essentially, this threat works a lot like traditional social engineering scams, which while common, have proven to still be an effective means of infiltrating networks.
Ukraine and its international partners are continuing to monitor the situation and remind users to take their cyber security seriously and be vigilant when watching for email phishing scams. Always verify the sender before downloading any attachments or files.