KrakenLabs, in their investigation, has uncovered a complex and extensive malware campaign termed “Unfurling Hemlock.” This campaign utilizes a unique cluster bomb approach, distributing diverse malware types globally through nested cabinet files named “WEXTRACT.EXE .MUI.” These files, found in tens of thousands of samples, exhibit up to seven levels of nesting, each containing malware like Redline, RisePro, Amadey, and SmokeLoader. The intent behind this method appears twofold: to maximize the number of infections per victim and to generate financial gain, potentially through pay-per-infection schemes.
Evidence points to the campaign’s origin in Eastern Europe, indicated by Russian language presence in some samples and infrastructure tied to previous Eastern European cybercriminal activities. The distribution strategy is widespread, involving multiple channels and likely subcontracted operators to propagate the malware, often including tools to bypass security defenses like Windows Defender. This aggressive approach not only aims to compromise systems with multiple malware strains but also highlights a profit-driven motive, exploiting vulnerable systems globally.
The operation’s complexity is underscored by its meticulous planning to infect victims comprehensively. Each nested layer in the malware deployment scheme aims to evade detection and enhance persistence, demonstrating a sophisticated understanding of cybersecurity vulnerabilities. Rapid7’s analysis reveals a significant cybersecurity threat demanding heightened awareness and robust defensive strategies to mitigate the risks posed by such expansive and coordinated cyber campaigns.
Reference:
