The government computer emergency response team of Ukraine CERT-UA, which operates under the State Special Communications Service, discovered and investigated the distribution of emails by criminals using the email address cert-ua@ ukr.net. The letters with the subject "CERT-UA Recommendations on the settings of MS Office programs" contain an attached file "INTERNAL CYBER THREAT.chm" allegedly on behalf of CERT-UA.

Opening the said CHM file will execute JavaScript code, which in turn will trigger a PowerShell script that will eventually infect your computer with MerlinAgent. With the help of the virus, attackers gain remote access to the victim's computer and can execute commands, download and delete files.

As a reminder, the first cases of MerlinAgent use were recorded on July 10 during a cyber attack against a state organization of Ukraine. For this purpose, the attackers sent e-mails with the subject "UAV Training"

Cert.ua