Cybersecurity researchers at Outpost24's KrakenLabs observed a new and rather unique malware campaign that appears to value quantity over quality.
Typically, when hackers compromise a device, they deploy a single piece of malware and try to do everything they can to remain invisible and persistent, while using the computer for whatever end goal they have.
But this new campaign, called Unfurling Hemlock, does exactly the opposite: it highlights it in the world of cybercrime. Researchers say that once the victim activates the malware executable, in this case called 'EXTRACT.EXE', he receives a handful of different malware executables, information stealers and botnets.
Malware Cluster Bomb
The chances of cybersecurity solutions detecting the malware are high, but researchers believe the attackers are hoping that at least some of the payloads will survive the purge. Among the things that have been downloaded to the devices are Redline (a popular info-stealer), RisePro (an upcoming info-stealer), Mystic Stealer (info-stealing malware-as-a-service), Amadey (loader), SmokeLoader (another loader), Protection Disabler (a utility that disables Windows Defender and other security features), Enigma Packer (obfuscation tool), Healer (anti-security solution), and Performance Checker (a utility that checks and logs the performance of malware execution).
This “cluster bomb malware” was first detected in February 2024, said the researchers, who claimed to have seen more than 50,000 cluster bomb files, all with unique characteristics that link them to Unfurling Hemlock.
KrakenLabs couldn’t say with absolute certainty who the threat actors behind Unfurling Hemlock are, but they are fairly certain that they are of Eastern European origin. Some of the evidence pointing in that direction is the use of the Russian language in some of the samples and the use of Autonomous System 203727, which is related to a hosting service that is often used by cybercriminal groups in the region.
Fortunately, the malware spread through this campaign is well known and most reliable antivirus programs will detect it.
Via BleepingComputer