Pierluigi Paganini
September 25, 2023
Securonix researchers recently uncovered a phishing campaign using a Pilot-in-Command (PIC) Drone manual document as a lure to deliver a toolkit dubbed Merlin.
The campaign, codenamed STARK#VORTEX by Securonix, targets Ukrainian military entities and CERT-UA attributed it to a threat actor tracked as UAC-0154.
The MerlinAgent is an open-source C2 toolkit written in Go, it is similar to other post-exploitation toosl like Cobalt Strike or Sliver.
The lure file (“Інфо про навчання по БПЛА для військових.v2.2.chm” which translates to “info on UAV training for the military”) is in the form of a Microsoft Help file (.chm). Upon opening the document, a malicious JavaScript embedded inside one of the HTML pages is executed.
Then the JavaScript code executes an obfuscated PowerShell code, it contacts a remote C2 server to download an obfuscated binary payload.
“The payload is an obfuscated binary that gets XOR’d and decoded to produce a beacon payload for MerlinAgent malware. Once the payload establishes communication back to its C2 server, the attackers would have full control over the victim host.” reads the analysis published by Securonix. “While the attack chain is quite simple, the attackers leveraged some pretty complex TTPs and obfuscation methods in order to evade detection. We’ll go over each stage in detail further down.”
The attack technique is well known, code execution through a .chm file was used in multiple attacks in the past. It is possible to achieve code execution via help files by passing in special HTML parameters which can call a child process such as cmd.exe or powershell.exe, along with command line arguments.
The researchers reported that the MerlinAgent has been used by UAC-0154 in past campaigns aimed at Ukrainian officials.
“It’s apparent that this attack was highly targeted towards the Ukrainian military given the language of the document, and its targeted nature.” concludes the report. “Files and documents used in the attack chain are very capable of bypassing defenses, scoring 0 detections for the malicious .chm file. Typically receiving a Microsoft help file over the internet would be considered unusual. However, the attackers framed the lure documents to appear as something an unsuspecting victim might expect to appear in a help themed document or file.”
In May, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyber attacks targeting state bodies in the country as part of an espionage campaign conducted by a threat actor tracked as UAC-0063.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ukrainian military entities)
