Hackers Lures Drone Manual to Deliver Notorious MerlinAgent malware

Securonix Threat Research has found a significant attack called STARK#VORTEX, which appears to come from a group known as UAC-0154.

This campaign specifically targets Ukraine’s military, leveraging a cunning tactic involving drone-related lures.

Drones have played a pivotal role in Ukraine’s military operations, making them an attractive theme for malicious actors. 

The attackers behind UAC-0154 initially used military-themed documents sent via email to Ukrainian targets on @ukr.net. 

However, their tactics have evolved, and they have now turned to delivering the MerlinAgent malware using a novel approach.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Here’s a Breakdown of the Attack Chain:

Lure File – The deceptive file is disguised as a Microsoft Help file, commonly known as a .chm file. Specifically, it was titled “Інфо про навчання по БПЛА для військових.v2.2.chm,” which translates to “information about UAV training for the military.”

When the user opens this document, it triggers a malicious JavaScript code embedded within it.

Obfuscated PowerShell – The JavaScript code within the .chm file communicates with a remote Command and Control (C2) server to download an obfuscated binary payload.

Payload Activation – This payload, once decoded, becomes a beacon payload for the MerlinAgent malware, establishing communication with the C2 server and granting full control to the attackers.

The attack chain may seem straightforward, but the threat actors employed complex tactics and obfuscation methods to avoid detection at each stage.

Initial Code Execution – Microsoft Help files, despite being an older format, can still be executed on modern Windows systems. 

In this case, the .chm file launched the PowerShell process, bypassing antivirus and EDR detections.

Help File and JavaScript Execution – These files acted as containers, and their contents were analyzed, revealing obfuscated JavaScript code that executed another obfuscated PowerShell script.

PowerShell Execution – The PowerShell code involved multiple layers of obfuscation, including Base64 encoding, GZIP compression, and character substitutions. It downloaded the payload from a specific URL, deobfuscated it, and saved it locally.

Binary File Analysis – The downloaded binary, roughly 5MB in size, turned out to be a 64-bit executable associated with the MerlinAgent framework, an open-source command and control (C2) framework available on GitHub. 

This framework offers various capabilities, including encrypted C2 communication, remote command shells, module support, and more.

C2 and Infrastructure – The attackers established encrypted communication with C2 servers over port 443, making detection more challenging.

This highly targeted attack campaign focused on the Ukrainian military. The use of files and documents that could easily bypass defenses and the attackers’ clever framing underscores the need for vigilance.

Securonix recommends several mitigations, including avoiding downloading files from untrusted sources, monitoring specific directories for suspicious activities, and deploying enhanced logging solutions for improved detection coverage.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.