New MerlinAgent Open-Source Tool Used by UAC-0154 Group to Target Ukrainian State Agencies
Table of contents:
Cyber defenders observe growing volumes of cyber attacks against Ukraine and its allies launched by the russian offensive forces, with the aggressor frequently leveraging the phishing attack vector and the public sector serving as the primary target.
CERT-UA notifies cyber defenders of the ongoing phishing campaign against Ukrainian state bodies massively distributing emails with the lure subject and an attachment masquerading the sender as CERT-UA with the corresponding email address. This way, threat actors tracked as UAC-0154 are making attempts to compromise targeted users by leveraging a novel open-source MerlinAgent tool with its source code available on GitHub.
UAC-0154 Attack Description Leveraging MerlinAgent
On August 5, 2023, the CERT-UA researchers issued two novel alerts, CERT-UA#6995 and CERT-UA#7183, covering the details of the mass email distribution attributed to the UAC-0154 hacking group and targeting Ukrainian state officials. In this ongoing phishing campaign, hackers apply the lure email subject related to the recommendations for MS Office installation along with the CHM email attachment disguised as a useful file with the cyber threat details and masquerading the sender as CERT-UA itself.
Opening the CHM file lure leads to executing JavaScript code, which in turn, launches a PowerShell script intended for downloading, decrypting, and decompressing a GZIP archive. The latter contains an executable file, which is designed to infect targeted systems using the MerlinAgent open-source tool with its source code publicly available on GitHub. In addition, the UAC-0154 group has taken advantage of the legitimate file service dubbed Catbox.
CERT-UA has unveiled that one of the initial cases of using MerlinAgent dates back to the first half of July 2023, when Ukrainian government authorities were exposed to a phishing attack covered in the CERT-UA#6995 alert.
Detecting UAC-0154 Activity Covered in the CERT-UA#6995 and CERT-UA#7183 Alerts
The increasing number of phishing campaigns against Ukraine and its allies requires ultra-responsiveness from cyber defenders to timely identify the infection and proactively remediate the threat. SOC Prime Platform equips security teams with cost-efficient and innovative tools to boost their cybersecurity maturity while driving the maximum value of SOC investments.
To help defenders thwart ongoing attacks by the UAC-0154 hacking collective covered in the corresponding CERT-UA#6995 and CERT-UA#7183 alerts, SOC Prime Platform curates relevant Sigma rules enriched with cyber threat context, mapped to MITRE ATT&CK®, and automatically convertible to the industry-leading SIEM, EDR, and XDR technologies. All detection algorithms are filtered by the tags based on the group and heads-up identifiers (“CERT-UA#6995”, “CERT-UA#7183”, “UAC-0154”), enabling users to choose any of them to streamline the content search.
Click the Explore Detections button below to obtain the above-referenced Sigma rules and dive into the relevant cyber threat context to assist in your daily security operations.
Security professionals are also welcome to take advantage of Uncoder AI, SOC Prime’s augmented intelligence framework, to accelerate threat research with instant IOC query generation based on indicators of compromise suggested in the latest CERT-UA alerts.
MITRE ATT&CK Context
Cyber defenders can also explore the comprehensive cyber threat context behind the adversary campaign of the UAC-0154 covered in the CERT-UA#6995 and CERT-UA#7183 alerts. Check out the table below to find the list of all applicable adversary tactics, techniques, and sub-techniques linked to the above-mentioned Sigma rules for in-depth threat research:
Tactics | Techniques | Sigma Rule |
Initial Access | Phishing: Spearphishing Link | |
Phishing: Spearphishing Attachment | ||
Exfiltration | Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) | |
Transfer Data to Cloud Account (T1537) | ||
Defense Evasion | Hide Artifacts: Hidden Window (T1564.003) | |
System Binary Proxy Execution (T1218) | ||
System Binary Proxy Execution: Compiled HTML File (T1218.001) | ||
Obfuscated Files or Information: Command Obfuscation (T1027.010) | ||
Command and Control | Ingress Tool Transfer (T1105) | |
Persistence | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) | |
Execution | Command and Scripting Interpreter (T1059) | |
Command and Scripting Interpreter: PowerShell (T1059.001) | ||
Command and Scripting Interpreter: Windows Command Shell |