Security researchers discovered a threat actor known as Unfurling Hemlock infecting target systems with up to ten pieces of malware simultaneously. Dubbed a “malware cluster bomb” by researchers, this method involves using one malware sample to spread additional ones on compromised machines. The malware mainly consisted of stealers, such as Redline, RisePro and Mystic Stealer, and loaders such as Amadey and SmokeLoader.
Outpost24’s KrakenLabs, the Cyber Threat Intelligence team, discovered this operation. Their findings reveal that Unfurling Hemlock’s activity dates back to at least February 2023 and employs a unique distribution method. KrakenLabs has identified over 50,000 “cluster bomb” files with distinct characteristics linking them to Unfurling Hemlock.
The attack begins with the execution of a file named ‘WEXTRACT.EXE’, which arrives on target devices through malicious emails or malware loaders that Unfurling Hemlock acquires from other operators. This executable contains nested compressed cabinet files, each level holding a malware sample and another compressed file. As each stage is unpacked, a new malware variant is dropped onto the victim’s machine. The final stage’s extracted files are executed in reverse order, with the most recently extracted malware executed first.
The researchers found that over half of Unfurling Hemlock’s attacks targeted systems in the United States, with significant activity also observed in Germany, Russia, Turkey, India, and Canada.
Evan Dornbush, former NSA cybersecurity expert had this to say:
“KrakenLabs’ report demonstrates why it is critical to support cybersecurity research efforts. The attackers appear to have taken a multitude of known tools and packaged them up in a novel mechanism that could facilitate evasion from defensive technology or, if detected, only be partially caught and removed from infected systems. In other words, things the defensive community thought were “solved” are still able to have harmful impact. This report highlights how both attackers and defenders incrementally improve looking at prior works.”
Organizations and perhaps individuals have one more thing that they can add to the list of things that they need to create defences to stop. Making life hard for overworked teams who are responsible for stopping cyber threats.
Related
This entry was posted on June 28, 2024 at 1:51 pm and is filed under Commentary with tags Outpost24. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
“Clusterbomb” Malware droppers hit over 50,000 victims
Security researchers discovered a threat actor known as Unfurling Hemlock infecting target systems with up to ten pieces of malware simultaneously. Dubbed a “malware cluster bomb” by researchers, this method involves using one malware sample to spread additional ones on compromised machines. The malware mainly consisted of stealers, such as Redline, RisePro and Mystic Stealer, and loaders such as Amadey and SmokeLoader.
Outpost24’s KrakenLabs, the Cyber Threat Intelligence team, discovered this operation. Their findings reveal that Unfurling Hemlock’s activity dates back to at least February 2023 and employs a unique distribution method. KrakenLabs has identified over 50,000 “cluster bomb” files with distinct characteristics linking them to Unfurling Hemlock.
The attack begins with the execution of a file named ‘WEXTRACT.EXE’, which arrives on target devices through malicious emails or malware loaders that Unfurling Hemlock acquires from other operators. This executable contains nested compressed cabinet files, each level holding a malware sample and another compressed file. As each stage is unpacked, a new malware variant is dropped onto the victim’s machine. The final stage’s extracted files are executed in reverse order, with the most recently extracted malware executed first.
The researchers found that over half of Unfurling Hemlock’s attacks targeted systems in the United States, with significant activity also observed in Germany, Russia, Turkey, India, and Canada.
Evan Dornbush, former NSA cybersecurity expert had this to say:
“KrakenLabs’ report demonstrates why it is critical to support cybersecurity research efforts. The attackers appear to have taken a multitude of known tools and packaged them up in a novel mechanism that could facilitate evasion from defensive technology or, if detected, only be partially caught and removed from infected systems. In other words, things the defensive community thought were “solved” are still able to have harmful impact. This report highlights how both attackers and defenders incrementally improve looking at prior works.”
Organizations and perhaps individuals have one more thing that they can add to the list of things that they need to create defences to stop. Making life hard for overworked teams who are responsible for stopping cyber threats.
Share this:
Like this:
Related
This entry was posted on June 28, 2024 at 1:51 pm and is filed under Commentary with tags Outpost24. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.