New MerlinAgent Open-Source Tool Used by UAC-0154 Group to Target Ukrainian State Agencies

[post-views]
August 07, 2023 · 3 min read
New MerlinAgent Open-Source Tool Used by UAC-0154 Group to Target Ukrainian State Agencies

Cyber defenders observe growing volumes of cyber attacks against Ukraine and its allies launched by the russian offensive forces, with the aggressor frequently leveraging the phishing attack vector and the public sector serving as the primary target. 

CERT-UA notifies cyber defenders of the ongoing phishing campaign against Ukrainian state bodies massively distributing emails with the lure subject and an attachment masquerading the sender as CERT-UA with the corresponding email address. This way, threat actors tracked as UAC-0154 are making attempts to compromise targeted users by leveraging a novel open-source MerlinAgent tool with its source code available on GitHub. 

UAC-0154 Attack Description Leveraging MerlinAgent

On August 5, 2023, the CERT-UA researchers issued two novel alerts, CERT-UA#6995 and CERT-UA#7183, covering the details of the mass email distribution attributed to the UAC-0154 hacking group and targeting Ukrainian state officials. In this ongoing phishing campaign, hackers apply the lure email subject related to the recommendations for MS Office installation along with the CHM email attachment disguised as a useful file with the cyber threat details and masquerading the sender as CERT-UA itself. 

Opening the CHM file lure leads to executing JavaScript code, which in turn, launches a PowerShell script intended for downloading, decrypting, and decompressing a GZIP archive. The latter contains an executable file, which is designed to infect targeted systems using the MerlinAgent open-source tool with its source code publicly available on GitHub. In addition, the UAC-0154 group has taken advantage of the legitimate file service dubbed Catbox. 

CERT-UA has unveiled that one of the initial cases of using MerlinAgent dates back to the first half of July 2023, when Ukrainian government authorities were exposed to a phishing attack covered in the CERT-UA#6995 alert. 

Detecting UAC-0154 Activity Covered in the CERT-UA#6995 and CERT-UA#7183 Alerts

The increasing number of phishing campaigns against Ukraine and its allies requires ultra-responsiveness from cyber defenders to timely identify the infection and proactively remediate the threat. SOC Prime Platform equips security teams with cost-efficient and innovative tools to boost their cybersecurity maturity while driving the maximum value of SOC investments. 

To help defenders thwart ongoing attacks by the UAC-0154 hacking collective covered in the corresponding CERT-UA#6995 and CERT-UA#7183 alerts, SOC Prime Platform curates relevant Sigma rules enriched with cyber threat context, mapped to MITRE ATT&CK®, and automatically convertible to the industry-leading SIEM, EDR, and XDR technologies. All detection algorithms are filtered by the tags based on the group and heads-up identifiers (“CERT-UA#6995”, “CERT-UA#7183”, “UAC-0154”), enabling users to choose any of them to streamline the content search. 

Click the Explore Detections button below to obtain the above-referenced Sigma rules and dive into the relevant cyber threat context to assist in your daily security operations. 

Explore Detections

Security professionals are also welcome to take advantage of Uncoder AI, SOC Prime’s augmented intelligence framework, to accelerate threat research with instant IOC query generation based on indicators of compromise suggested in the latest CERT-UA alerts. 

Using Uncoder AI for IOC-based hunting for UAC-0154-related threats based on CERT-UA research

MITRE ATT&CK Context

Cyber defenders can also explore the comprehensive cyber threat context behind the adversary campaign of the UAC-0154 covered in the CERT-UA#6995 and CERT-UA#7183 alerts. Check out the table below to find the list of all applicable adversary tactics, techniques, and sub-techniques linked to the above-mentioned Sigma rules for in-depth threat research:

Tactics 

Techniques

Sigma Rule

Initial Access

Phishing: Spearphishing Link

(T1566.002)

Phishing: Spearphishing Attachment

(T1566.001)

 Exfiltration

Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)

Transfer Data to Cloud Account (T1537)

Defense Evasion

Hide Artifacts: Hidden Window (T1564.003)

System Binary Proxy Execution (T1218)

System Binary Proxy Execution: Compiled HTML File (T1218.001)

Obfuscated Files or Information: Command Obfuscation (T1027.010)

Command and Control

Ingress Tool Transfer (T1105)

Persistence

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)

Execution

Command and Scripting Interpreter (T1059)

Command and Scripting Interpreter: PowerShell (T1059.001)

Command and Scripting Interpreter: Windows Command Shell

(T1059.003)

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts