A phishing campaign targets Ukrainian military entities using drone manuals as lures to deliver the post-exploitation toolkit Merlin.
Securonix researchers recently uncovered a phishing campaign using a Pilot-in-Command (PIC) Drone manual document as a lure to deliver a toolkit dubbed Merlin.
The campaign, codenamed STARK#VORTEX by Securonix, targets Ukrainian military entities and CERT-UA attributed it to a threat actor tracked as UAC-0154.
“The payload is an obfuscated binary that gets XOR’d and decoded to produce a beacon payload for MerlinAgent malware. Once the payload establishes communication back to its C2 server, the attackers would have full control over the victim host.” reads the analysis published by Securonix. “While the attack chain is quite simple, the attackers leveraged some pretty complex TTPs and obfuscation methods in order to evade detection. We’ll go over each stage in detail further down.”
The attack technique is well known, code execution through a .chm file was used in multiple attacks in the past. It is possible to achieve code execution via help files by passing in special HTML parameters which can call a child process such as cmd.exe or powershell.exe, along with command line arguments.
The researchers reported that the MerlinAgent has been used by UAC-0154 in past campaigns aimed at Ukrainian officials.
“It’s apparent that this attack was highly targeted towards the Ukrainian military given the language of the document, and its targeted nature.” concludes the report. “Files and documents used in the attack chain are very capable of bypassing defenses, scoring 0 detections for the malicious .chm file. Typically receiving a Microsoft help file over the internet would be considered unusual. However, the attackers framed the lure documents to appear as something an unsuspecting victim might expect to appear in a help themed document or file.”
In May, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyber attacks targeting state bodies in the country as part of an espionage campaign conducted by a threat actor tracked as UAC-0063.
(SecurityAffairs – hacking, Ukrainian military entities)
The post A phishing campaign targets Ukrainian military entities with drone manual lures appeared first on Security Affairs.