Summary:
A financially motivated East European threat actor known as "Unfurling Hemlock" has been employing a sophisticated technique akin to a cluster bomb to deploy up to ten unique malware files simultaneously on systems in the US, Germany, Russia, and other countries. This approach involves using deeply nested compressed Microsoft Cabinet (CAB) files, sometimes up to seven levels deep, to distribute various information stealers and malware loaders. Since February 2023, Unfurling Hemlock has delivered hundreds of thousands of malware files to around 50,000 users worldwide, with over half of the infections occurring in the US. The malware includes Mystic Stealer, Rise Pro, Redline, SmokeLoader, and Amadey, and is sometimes distributed on behalf of other threat groups.

The attacks typically begin with the execution of "weextract.exe," a legitimate Windows executable for extracting CAB files. Each level of nested CAB files releases different malware variants, including tools to disable Windows Defender and other endpoint security systems. This nested approach makes defense and eradication challenging, as it allows multiple stages of malware to be deployed and managed independently.


Security Officer Comments:
Researchers at Outpost24 identified Unfurling Hemlock and its techniques, noting that the malware spreads through emails and sometimes via other threat groups' loaders. The group collaborates with other threat actors, using their infrastructure and language, suggesting a base in Eastern Europe. Outpost24 discovered the campaign while investigating reports from other researchers, including McAfee, about similar attacks deploying numerous malware samples at once on compromised systems. Their analysis revealed multiple similarities between these attacks, leading to the conclusion that a single actor was behind all of them.

Unfurling Hemlock's method of using nested CAB files complicates defense and eradication efforts. As each stage of the CAB files is unpacked, a new malware variant is dropped onto the victim's machine, with the final stage's extracted files executed in reverse order. This technique harks back to methods used in past sophisticated malware like Flame and Gauss, making it particularly challenging for victims to confirm complete eradication of the infection. Some second-stage tools may have their own independent command-and-control systems (C2), further complicating eradication.

Suggested Corrections:
Outpost24 predicts that other threat actors will adopt similar tactics in the future. Despite the complexity of the delivery method, the malware and techniques used by Unfurling Hemlock are well-known and documented. This emphasizes the importance of maintaining fundamental security practices. As Outpost24's Hector Garcia noted, these cluster bombs are not highly sophisticated regarding obfuscation and anti-analysis techniques, and most of the malware dropped and executed on victims' machines are widely known and documented.

Link(s):
https://www.darkreading.com/cyberat...lti-malware-cluster-bomb-campaign-cyber-havoc


https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/