July 1, 2024 at 06:00PM
“Unfurling Hemlock,” a financially motivated Eastern European threat actor, is using a cluster bomb cyber tactic to distribute up to 10 unique malware files at a time on systems in the US, Germany, Russia, and other countries. The attacker distributes malware through nested compressed Microsoft Cabinet (CAB) files and has infected tens of thousands of users worldwide. The campaign, uncovered by Outpost24, deploys a variety of information stealers and loaders, targeting users primarily through email and potentially on behalf of other threat groups. The tactic poses challenges for defenders and could be adopted by other threat actors, emphasizing the importance of security basics. [Word Count: 100]
From the meeting notes, we can gather the following key takeaways:
1. A financially motivated East European threat actor named “Unfurling Hemlock” is distributing a significant amount of malware by utilizing compressed Microsoft Cabinet (CAB) files nested within other compressed CAB files, resulting in the spread of various information stealers and malware loaders on victim systems in the US, Germany, Russia, and other countries.
2. Since at least February 2023, the adversary has distributed hundreds of thousands of malware files, affecting approximately 50,000 users globally, with over half of the infected systems based in the US.
3. Unfurling Hemlock is distributing malware through email and sometimes using malware loaders belonging to other threat groups. The attacks often commence with the execution of “weextract.exe,” which contains nested compressed cabinet files, each holding a malware sample and another compressed file.
4. The threat actor’s deployed files include obfuscators and tools for disabling Windows Defender and other endpoint threat detection and response systems on victim machines. This multi-stage deployment tactic complicates defense evasion and makes malware eradication challenging for defenders.
5. Outpost24 anticipates that other threat actors may adopt similar tactics to distribute malware in the future and highlights the importance of defenders focusing on security basics despite the relatively low complexity and sophistication of the cluster bomb malware.
These takeaways provide a clear understanding of the threat posed by the Unfurling Hemlock group and emphasize the need for robust defense measures and continued vigilance to counter the spread of cluster bomb malware.