Hackers use open source Merlin post-exploitation toolkit in attacks – Source: www.bleepingcomputer.com

Ukraine is warning of a wave of attacks targeting state organizations using ‘Merlin,’ an open-source post-exploitation and command and control framework.

Merlin is a Go-based cross-platform post-exploitation toolkit available for free via GitHub, offering extensive documentation for security professionals to use in red team exercises.

It offers a wide range of features, allowing red teamers (and attackers) to obtain a foothold on a compromised network.

• Support for HTTP/1.1 over TLS and HTTP/3 (HTTP/2 over QUIC) for C2 communication.
• PBES2 (RFC 2898) and AES Key Wrap (RFC 3394) for agent traffic encryption.
• OPAQUE Asymmetric Password Authenticated Key Exchange (PAKE) & Encrypted JWT for secure user authentication.
• Support for CreateThread, CreateRemoteThread, RtlCreateUserThread, and QueueUserAPC shellcode execution techniques.
• Domain fronting for bypassing network filtering.
• Integrated Donut, sRDI, and SharpGen support.
• Dynamic change in the agent’s JA3 hash & C2 traffic message padding for evading detection.

However, as we saw with Sliver, Merlin is now being abused by threat actors who use it to power their own attacks and spread laterally through compromised networks.

CERT-UA reports that it detected it in attacks that started with the arrival of a phishing email that impersonated the agency (sender address: cert-ua@ukr.net) and supposedly provided the recipients with instructions on how to harden their MS Office suite.

The emails carry a CHM file attachment that, if opened, executes JavaScript code which in turn runs a PowerShell script that fetches, decrypts, and decompresses a GZIP archive that contains the executable “ctlhost.exe.”

If the recipient runs this executable, their computer gets infected by MerlinAgent, giving the threat actors access to their machine, data, and a foothold to move laterally in the network.

CERT-UA has assigned this malicious activity the unique identifier UAC-0154, and the first attacks were recorded on July 10, 2023, when the threat actors used a “UAV training” bait in their emails.

Using open-source tools like Merlin to attack government agencies or other important organizations makes attribution harder, leaving fewer distinct traces that can be linked to specific threat actors.