Ukraine's Computer Emergency Response Team (CERT-UA) has warned of a new wave of cyber-attacks targeting state organizations. Threat actors were discovered using Merlin, an open-source post-exploitation tool, to carry out attacks and lateral movement within compromised networks.
Merlin, a Go-based cross-platform post-exploitation toolkit freely available on GitHub, is well-equipped with features designed to help cybersecurity experts in red team exercises. Despite its noble intentions, Merlin has now been weaponized by malicious actors.
Key Features of Merlin:
HTTP/1.1 over TLS,
HTTP/2 clear-text (h2c),
HTTP/3 (HTTP/2 over QUIC)
execute-assemblyor in-process with
CERT-UA reports detecting Merlin in attacks correlated with an email phishing campaign impersonating the agency. The attackers used an email address (cert-ua@ukr[.]net) and sent rogue emails offering to teach recipients how to strengthen their Microsoft Office suite.
The script then fetched, decrypted and extracted a GZIP archive containing the
ctlhost.exe executable. Victims who then execute it would unwittingly plant
MerlinAgent on their device, granting threat actors access and lateral movement capability.
CERT-UA has assigned the activity the UAC-0154 identifier, and the security advisory includes a comprehensive list of Indicators of Compromise (IoC) such as file lists, hashes, domains, IP addresses and hosts.
As Merlin is an open-source tool available to most anyone, pinpointing the attack to a specific known threat actor is daunting for authorities. The situation raises critical questions about the responsibility and ethical considerations surrounding open-source cybersecurity tools.
Ukraine's government and international partners continue to monitor the situation and urge citizens and organizations to follow cybersecurity best practices and remain vigilant.
Individuals and organizations are encouraged to refer to the official CERT-UA security advisory for a complete list of IoCs and additional information.
Specialized software like Bitdefender Ultimate Security can protect you from Merlin attacks and other cyberthreats with features such as: