Full Report
While reviewing common TTPs in malware campaigns used last year Outpost24’s Cyber Threat Intelligence team, KrakenLabs, came across several reports and articles describing a novel infection technique being used to distribute various types of malware not necessarily related to each other. For example, this article analyzing Amadey and this one talking about Redline. Upon closer […] The post Unfurling Hemlock: New threat group uses cluster bomb campaign to distribute malware appeared first on Outpost24.
Analysis Summary
# Threat Actor: Unfurling Hemlock
## Attribution & Identity
The group is likely based in an **Eastern European country**, evidenced by the presence of the Russian language in some samples and the infrastructure utilized. They are a novel threat group identified by KrakenLabs.
## Activity Summary
Unfurling Hemlock is responsible for a massive, several-month-spanning campaign utilizing a novel infection technique dubbed the "cluster bomb" to distribute various malware payloads. Tens of thousands of samples (reaching hundreds of thousands of deployed malware infections) were observed globally. The actor appears to have contracted other operators to aid in the distribution, mainly via loaders and email.
## Tactics, Techniques & Procedures
- **Distribution Mechanism:** Use of compressed **cabinet files** (`.cab`).
- **Naming Convention:** Distribution samples were consistently named **“WEXTRACT.EXE .MUI”**.
- **Cluster Bomb Technique:** Extreme nesting of compressed files, repeating up to **seven times**. Each compressed file contained another compressed file and a malware sample. The deepest layer contained two malware samples.
- **Payload Delivery:** Each nesting level dropped an additional file that could be either a malware sample, a utility, or another nested compressed file.
- **Defense Evasion/Infection Aid:** Distribution files often contained utilities designed to **disable Windows Defender and other protection systems**, as well as obfuscators.
- **Malware Types Used:** Primarily **stealers** (Redline, RisePro, Mystic Stealer) and **loaders** (Amadey, SmokeLoader).
- **Behavior:** The initial execution of "WEXTRACT.EXE .MUI" spawns two files: one malware/utility and another nested structure.
## Targeting
- **Sectors:** Not specified, but the objective appears to be mass infection rather than targeted industry compromise.
- **Geography:** Observed **all over the world**.
- **Victims:** No specific organizations named, operating on a scale focused on maximizing victim count.
## Tools & Infrastructure
- **Malware Families Used:**
* Stealers: Redline, RisePro, Mystic Stealer
* Loaders: Amadey, SmokeLoader
- **Infrastructure (C2, domains, IPs):** A significant portion of distribution hosts were connected to **Autonomous System 203727**, an AS historically used by Eastern European cybercriminals for hosting services.
## Implications
Unfurling Hemlock adopted a strategy to maximize gains from a single initial infection by simultaneously stealing data, loading secondary persistent malware, and potentially generating affiliate revenue by dropping third-party malware. The sheer volume of samples distributed indicates a large-scale, well-resourced operation. While the observed campaign appears dormant, the group may have merely shifted infrastructure or paused operations.
## Mitigations
- **Content Inspection:** Ensure defenses are capable of **analyzing the contents of compressed files** (specifically cabinet files).
- **Execution Controls:** Implement robust execution controls to prevent the running of suspicious software dropped from archives.
- **Endpoint Protection:** Utilize modern anti-malware solutions capable of detecting the widely documented malware families being distributed (Redline, Amadey, etc.).
- **User Education:** End users must practice caution, avoiding the download or execution of suspicious files received via email or from untrusted sources.