CERT-UA warned against a phishing campaign targeting Ukrainian government agencies with an open-source malware, dubbed MerlinAgent. The agency stated that an unidentified threat actor, which it tracks as UAC-0154, sent malicious emails to its targets, with the subject line - CERT-UA recommendations on MS Office program settings.
Diving into details
- Threat group UAC-0154 launched fraudulent emails containing a .chm file. Inside the file, a JavaScript code triggers a PowerShell script that is responsible for fetching the MerlinAgent RAT and running it.
- MerlinAgent, found on GitHub, is a creation by penetration tester Russel Van Tuyl. He developed it subsequent to composing a dissertation for the Sans Institute, focusing on web application attacks utilizing the HTTP/2 protocol.
- MerlinAgent is recognized for its advanced logging functionalities, which prove valuable for capturing post-operation details.
Other RATs spotted in the wild
- Last month, malicious actors were found using cracked software as a means to distribute the advanced HotRat malware, putting unsuspecting users at risk. The HotRat malware, a variant of AsyncRAT, has the ability to steal personal data, credentials, and distribute other malware.
- The same month, Malwarebytes spotted a potential SocGholish competitor, named FakeSG. The campaign deployed the NetSupport RAT, enabling attackers to gain access and disseminate further malicious payloads.
The bottom line
The phishing campaign employing the MerlinAgent RAT to target Ukrainian government agencies underscores the evolving sophistication of cyber threats. As attackers adapt their techniques, vigilance becomes paramount. Regular security awareness training, robust email filtering, and prompt software updates are essential for organizations to fortify their defenses against such malicious endeavors.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/6e2c_shutterstock_668180614.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/3a87_shutterstock_1621501870.jpg)
