June 27, 2024 at 06:28PM
Unfurling Hemlock, a threat actor, infects systems with a “malware cluster bomb” method, delivering various malware including information stealers, botnets, and backdoors. The attacks start with ‘WEXTRACT.EXE’ file execution and target multiple countries, with a focus on the United States. The group is likely based in Eastern Europe and sells stolen information and initial access to other attackers. Outpost24 suggests scanning files with updated anti-virus tools before execution.
The meeting notes highlight a concerning wave of cyber attacks conducted by a threat actor known as Unfurling Hemlock. They are employing a sophisticated method dubbed a “malware cluster bomb,” which involves infecting target systems with multiple types of malware simultaneously, including information stealers, botnets, and backdoors.
The attacks are initiated by the execution of a file named ‘WEXTRACT.EXE,’ which arrives via malicious emails or malware loaders. The malicious executable contains nested compressed cabinet files, each containing a malware sample and another compressed file. The unpacking process results in the execution of these malware variants in reverse order, providing the threat actor with high levels of persistence and redundancy.
Unfurling Hemlock has targeted systems primarily in the United States, as well as in Germany, Russia, Turkey, India, and Canada. The attackers appear to be motivated by potential monetization opportunities, despite the risk of detection, as they drop various malware, loaders, and utilities on victims’ machines.
The extensive list of malicious tools dropped by Unfurling Hemlock includes data stealers like Redline, RisePro, and Mystic Stealer, loaders such as Amadey and SmokeLoader, as well as utilities designed to disable security features and obfuscate malware payloads.
Furthermore, evidence suggests that Unfurling Hemlock may be based in an Eastern European country, given the presence of Russian language in some samples and the use of the Autonomous System 203727, associated with hosting services popular among cybercriminal groups in the region.
Notably, the meeting notes conclude with a recommendation from Outpost24 for users to scan downloaded files using up-to-date anti-virus tools before executing them, as all malware dropped in this campaign is well-documented and has known signatures.
Overall, these meeting notes provide valuable insights into the modus operandi of Unfurling Hemlock and the tools and techniques they employ, as well as a potential geographic origin, guiding future security measures and threat responses.