Multi-Malware 'Cluster Bomb' Campaign Drops Widespread Cyber Havoc
"Unfurling Hemlock" has deployed malware on tens of thousands of systems worldwide by nesting multiple malicious files inside other malicious files.
July 1, 2024
A financially motivated East European threat actor dubbed "Unfurling Hemlock" is using the cyber equivalent of a cluster bomb to drop up to 10 unique malware files at the same time on systems belonging to individuals in the US, Germany, Russia and multiple other countries.
The attacker's approach essentially involves using compressed Microsoft Cabinet (CAB) files nested within other compressed CAB files — sometimes as many as seven — to distribute a variety of information stealers and malware loaders on victim systems.
Widespread Cluster Bomb Malware Distribution
Since at least February 2023, the adversary has distributed hundreds of thousands of malware files this way on systems belonging to some 50,000 users worldwide, according to researchers at OutPost24. The malware used includes information stealers such as Mystic Stealer, Rise Pro, and Redline; and loaders such as SmokeLoader and Amadey.
KrakenLabs' analysis suggested that Unfurling Hemlock is distributing at least some of the malware and loaders on behalf of other threat groups, while at the same time, it is also using other groups to help distribute its own cluster bombs.
Based on malware samples uploaded to VirusTotal, more than half (50.8%) of the systems that the adversary has infected so far appear to be US based.
"We named the actor 'Unfurling Hemlock' because the samples distributed by them act as some sort of malware 'cluster bomb.' where a single sample unfurls to spread several malware samples when infecting its victims," Outpost24 threat researcher Hector Garcia wrote in a blog post. "This appears to be a very thorough attempt to cover all bases and maximize benefit."
Outpost 24 uncovered the campaign when investigating reports by other researchers — including those at McAfee — on attacks last year where threat actors deployed numerous malware samples at once on compromised systems. The security vendor's analysis showed multiple similarities between the different attacks that allowed it to conclude a single actor was behind all of them. The company concluded the threat group is likely based in Eastern Europe based on the use of the Russian language in some malware samples, and its use of infrastructure based in the region to host and distribute the malware.
Carpet Bombing for Maximum Cyber Damage
In its report, Outpost24 described Unfurling Hemlock as distributing its cluster bomb malware via email, and sometimes through malware loaders belonging to other threat groups. Attacks typically start with the execution of "weextract.exe," which is a legitimate Windows executable for extracting cabinet files. Cab files allow developers to compress and to package multiple files for distribution or for storage purposes. Cab files are often used as part of software installation packages and driver updates.
"This executable contains nested compressed cabinet files, each level holding a malware sample and another compressed file," Garcia wrote. "As each stage is unpacked, a new malware variant is dropped onto the victim's machine. The final stage's extracted files are executed in reverse order, with the most recently extracted malware executed first."
Among the several files the threat actor has been deploying are obfuscators and tools for disabling Windows Defender and other endpoint threat detection and response (EDR) systems on the victim machine.
"When all of this is put together, we have a situation where the actor has a chance, with a single initial file, to steal the information from the victim, load further malware into the victim's machine, and get paid for the infection using the malware of another group, all at the same time or any combination of the above," Garcia said.
Evan Dornbush, former NSA cybersecurity expert and co-founder of Point3 Security, says the attacker's tactic of packaging multiple known tools together and deploying them through nested cab files can be challenging for defenders to handle. The approach not only facilitates defense evasion, it also makes malware eradication harder to achieve and to confirm.
"Unfurling Hemlock harkens back to techniques reported in Flame and Gauss (multi-staged malware and diversified payloads)," he notes. "This can make it particularly challenging for a victim to confirm complete eradication of infection as some of the second stage tools may have their own independent command-and-control systems (C2)."
Outpost24 expects other threat actors will start using the same — or similar tactics — as Unfurling Hemlock to distribute malware in the future. The key for defenders is to continue paying attention to the security basics.
"At the end of the day, these cluster bombs are not very complex, nor show a high degree of sophistication regarding obfuscation and anti-analysis techniques, and most of the malware dropped and executed in victim's machines are very widely known and documented," Garcia said.
Don't miss the latest Dark Reading Confidential podcast, where we talk to two ransomware negotiators about how they interact with cybercriminals; including how they brokered a deal to restore operations in a hospital NICU where lives were at stake; and how they helped a church, where the attackers themselves "got a little religion." Listen now!
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024