Article Details

New Unfurling Hemlock threat actor floods systems with malware. A threat actor tracked as Unfurling Hemlock has been infecting target systems with up to ten pieces of malware at the same time in campaigns that distribute hundreds of thousands of malicious files. Security researchers describe the infection method as a "malware cluster bomb" that allows the threat actor to use one malware sample that spreads additional ones on the compromised machine. The types of malware delivered this way include information stealers, botnets, and backdoors. The operation was discovered by Outpost24's KrakenLabs, the security company's Cyber Threat Intelligence team, who say that the activity dates since at least February 2023 and uses a distinctive distribution method. KrakenLabs has seen over 50,000 "cluster bomb" files that shared unique characteristics linking them to the Unfurling Hemlock group. Unfurling Hemlock attack overview The attacks begin with the execution of a file named 'WEXTRACT.EXE' that arrives on target devices either via malicious emails or malware loaders that Unfurling Hemlock has access to by contracting their operators. The malicious executable contains nested compressed cabinet files, with each level containing a malware sample and yet another compressed file. Each unpacking step drops a malware variant on the victim's machine. When the final stage is reached, the extracted files are executed in reverse order, meaning the most recently extracted malware is executed first. KrakenLabs has seen between four and seven stages, meaning that the number of steps and amount of malware delivered during Unfurling Hemlock attacks varies. From the analyzed samples, the researchers deduced that over half of all Unfurling Hemlock attacks targeted systems in the United States, while relatively high-volume activity was also seen in Germany, Russia, Turkey, India, and Canada. A malware "cluster bomb" Dropping multiple payloads on a compromised system gives threat actors high levels of redundancy, providing more persistence and monetization opportunities. Despite the disadvantage of risking detection, many threat actors follow this aggressive strategy, expecting that at least some of their payloads would survive the cleanup process. In the case of Unfurling Hemlock, KrakenLabs analysts observed the following malware, loaders, and utilities dropped on victims' machines: KrakenLabs' report does not delve into the monetization pathways or post-compromise activity, but it can be assumed that Unfurling Hemlock sells info-stealer "logs" and initial access to other threat actors. Based on the evidence discovered during the investigation, the researchers believe with "a reasonable degree of certainty" that Unfurling Hemlock is based in an Eastern European country. Two indications of this origin are the presence of Russian language in some of the samples and the use of the Autonomous System 203727, which is related to hosting service popular with cybercriminal gangs in the region. Outpost24 recommends that users scan downloaded files using up-to-date anti-virus tools before executing them, as all malware dropped in this campaign is well-documented and has known signatures.