Open Source Toolkit 'Merlin'
Open Source Toolkit ‘Merlin’

A concerning new wave of cyber attacks is making headlines, and it appears the assailants are leveraging an open-source toolkit named – Merlin. The target of these attacks is principally governmental bodies, as Ukraine’s recent warnings reveal.

What is Merlin?

Merlin is an accessible toolkit with roots in the Go programming language. It’s cross-platform and designed for post-exploitation endeavors. What’s more, it’s freely available on GitHub. Security enthusiasts often employ Merlin for red team exercises.

Key Features of Merlin:

  • Communication Protocols: Merlin provides support for HTTP/1.1 over TLS and HTTP/3.
  • Traffic Encryption: With PBES2 and AES Key Wrap, agent traffic encryption is secure.
  • Authentication: OPAQUE Asymmetric PAKE & Encrypted JWT offer robust user security.
  • Shellcode Execution Techniques: Several methods like CreateThread and RtlCreateUserThread are available.
  • Network Filtering Bypass: Merlin employs domain fronting to evade network barriers.
  • Support Integration: Integrated support for Donut, sRDI, and SharpGen.
  • Detection Evasion: Dynamic changes in the agent’s hash and message padding thwart detection.

Misuse of Merlin by Threat Actors

But what’s alarming is how this toolkit, intended for lawful purposes, has fallen into the hands of malicious entities. Similar to Sliver’s misuse, threat actors are now using Merlin to orchestrate their own insidious operations. They are penetrating secure networks, spreading their influence, and wreaking havoc.

How the Attack Unfolds:

  • Initial Contact: The attacks commence with a phishing email that mimics a legitimate source.
  • The Lure: The emails often bear a CHM file attachment, promising instructions on MS Office suite hardening.
  • Malicious Script Execution: If opened, the file runs JavaScript, leading to a PowerShell script that fetches and processes a GZIP archive.
  • Infection: The execution of “ctlhost.exe” infects the recipient’s computer with MerlinAgent, granting the culprits access.

Unique Identifier and Timeline:

Ukraine’s cyber authorities, CERT-UA, have tagged this malevolent operation with the identifier UAC-0154. The first recorded incident occurred on July 10, 2023, where “UAV training” was used as a bait in the emails.

The Challenge of Attribution

The appropriation of open-source tools like Merlin for attacking key organizations complicates the attribution process. The breadcrumbs left behind are fewer and less distinct, making it difficult to pinpoint the exact threat actors.

Final Thoughts

The case of Merlin showcases the delicate line between innovation and exploitation. While conceived as an aid to security professionals, the toolkit’s abuse underscores the eternal dilemma of technology: How do we safeguard the tools we create from falling into the wrong hands?

In a world where cyber threats evolve with alarming pace, continuous vigilance and collaboration among the tech community, governments, and global agencies will be vital. Awareness, education, and robust security protocols must be our shield against those who would twist the tools of progress into weapons of chaos.