A threat actor tracked as Unfurling Hemlock has been infecting target systems with up to ten pieces of malware at the same time in campaigns that distribute hundreds of thousands of malicious files.
Security researchers describe the infection method as a "malware cluster bomb" that allows the threat actor to use one malware sample that spreads additional ones on the compromised machine.
The types of malware delivered this way include information stealers, botnets, and backdoors.
The operation was discovered by Outpost24's KrakenLabs, the security company's Cyber Threat Intelligence team, who say that the activity dates since at least February 2023 and uses a distinctive distribution method.
KrakenLabs has seen over 50,000 "cluster bomb" files that shared unique characteristics linking them to the Unfurling Hemlock group.
Unfurling Hemlock attack overview
The attacks begin with the execution of a file named 'WEXTRACT.EXE' that arrives on target devices either via malicious emails or malware loaders that Unfurling Hemlock has access to by contracting their operators.
The malicious executable contains nested compressed cabinet files, with each level containing a malware sample and yet another compressed file.
Each unpacking step drops a malware variant on the victim's machine. When the final stage is reached, the extracted files are executed in reverse order, meaning the most recently extracted malware is executed first.
KrakenLabs has seen between four and seven stages, meaning that the number of steps and amount of malware delivered during Unfurling Hemlock attacks varies.
From the analyzed samples, the researchers deduced that over half of all Unfurling Hemlock attacks targeted systems in the United States, while relatively high-volume activity was also seen in Germany, Russia, Turkey, India, and Canada.
A malware "cluster bomb"
Dropping multiple payloads on a compromised system gives threat actors high levels of redundancy, providing more persistence and monetization opportunities.
Despite the disadvantage of risking detection, many threat actors follow this aggressive strategy, expecting that at least some of their payloads would survive the cleanup process.
In the case of Unfurling Hemlock, KrakenLabs analysts observed the following malware, loaders, and utilities dropped on victims' machines:
- Redline: A popular stealer malware that extracts sensitive information such as credentials, financial data, and cryptocurrency wallets. It can steal data from web browsers, FTP clients, and email clients.
- RisePro: A relatively new stealer gaining popularity, focused on credential theft and data exfiltration. It targets browser information, cryptocurrency wallets, and other personal data.
- Mystic Stealer: Operates on the Malware-as-a-Service (MaaS) model, capable of stealing data from numerous browsers and extensions, cryptocurrency wallets, and applications like Steam and Telegram.
- Amadey: A custom-made loader used to download and execute additional malware. It has been on the market since 2018 and is used in various campaigns for distributing various malware.
- SmokeLoader: A versatile loader and backdoor known for its long-standing use in cybercrime. It is often used to download other types of malware and can disguise its C2 traffic by mimicking requests to legitimate sites.
- Protection disabler: A utility designed to disable Windows Defender and other security features on the victim's system, modifying registry keys and system settings to reduce system defenses.
- Enigma Packer: An obfuscation tool used to pack and hide the actual malware payloads, making malware detection and analysis more difficult for security solutions.
- Healer.exe: Another utility focused on disabling security measures, specifically targeting and disabling Windows Defender.
- Performance checker: A utility to check and log the performance of the malware execution, gathering statistical information about the victim's system and the success of the infection process.
- Other: Utilities abusing native Windows tools such as 'wmiadap.exe' and 'wmiprvse.exe' to gather system information.
KrakenLabs' report does not delve into the monetization pathways or post-compromise activity, but it can be assumed that Unfurling Hemlock sells info-stealer "logs" and initial access to other threat actors.
Based on the evidence discovered during the investigation, the researchers believe with "a reasonable degree of certainty" that Unfurling Hemlock is based in an Eastern European country.
Two indications of this origin are the presence of Russian language in some of the samples and the use of the Autonomous System 203727, which is related to hosting service popular with cybercriminal gangs in the region.
Outpost24 recommends that users scan downloaded files using up-to-date anti-virus tools before executing them, as all malware dropped in this campaign is well-documented and has known signatures.