Cybersecurity researchers from Outpost24’s KrakenLabs observed a new and quite unique malware campaign that seems to values quantity over quality.
Usually, when hackers compromise a device, they deploy a single piece of malware and try their best to remain unseen and persistent, as they use the computer for whatever end goal they have.
But this new campaign, dubbed Unfurling Hemlock, does the exact opposite, making it stand out in the world of cybercrime. The researchers are saying that once the victim triggers the malware executable – in this case called ‘EXTRACT.EXE’ – they receive a handful of different malware, infostealers, and botnet executables.
Malware cluster bomb
The chances of the malware being picked up by cybersecurity solutions is high, but the researchers believe the attackers are hoping at least some of the payloads will survive the purge. Among the things dropped on the devices are Redline (popular infostealer), RisePro (an upcoming infostealer), Mystic Stealer (infostealing malware-as-a-service), Amadey (loader), SmokeLoader (another loader), Protection Disabler (a utility that disables Windows Defender and other security features), Enigma Packer (obfuscation tool), Healer (anti-security solution), and Performance Checker (a utility that checks and logs the performance of malware execution).
This “malware cluster bomb” was first spotted in February 2024, the researchers said, claiming to have seen more than 50,000 cluster bomb files, all with unique characteristics that link them back to Unfurling Hemlock.
KrakenLabs could not say with absolute certainty who the threat actors behind Unfurling Hemlock are, but they are fairly confident they are of Eastern European origin. Some of the evidence pointing in that direction is the use of Russian language in some of the samples, and the use of the Autonomous System 203727, related to a hosting service cybercrime groups in the region usually use.
Luckily enough, the malware being pushed through this campaign is well-known and most reputable antivirus programs will flag it.
Via BleepingComputer
+ There are no comments
Add yours