The attacker's approach essentially involves using compressed Microsoft Cabinet files nested within other compressed CAB files - sometimes as many as seven - to distribute a variety of information stealers and malware loaders on victim systems.
Widespread Cluster Bomb Malware Distribution Since at least February 2023, the adversary has distributed hundreds of thousands of malware files this way on systems belonging to some 50,000 users worldwide, according to researchers at OutPost24.
The malware used includes information stealers such as Mystic Stealer, Rise Pro, and Redline; and loaders such as SmokeLoader and Amadey.
KrakenLabs' analysis suggested that Unfurling Hemlock is distributing at least some of the malware and loaders on behalf of other threat groups, while at the same time, it is also using other groups to help distribute its own cluster bombs.
Based on malware samples uploaded to VirusTotal, more than half of the systems that the adversary has infected so far appear to be US based.
Outpost 24 uncovered the campaign when investigating reports by other researchers - including those at McAfee - on attacks last year where threat actors deployed numerous malware samples at once on compromised systems.
The security vendor's analysis showed multiple similarities between the different attacks that allowed it to conclude a single actor was behind all of them.
The company concluded the threat group is likely based in Eastern Europe based on the use of the Russian language in some malware samples, and its use of infrastructure based in the region to host and distribute the malware.
Carpet Bombing for Maximum Cyber Damage In its report, Outpost24 described Unfurling Hemlock as distributing its cluster bomb malware via email, and sometimes through malware loaders belonging to other threat groups.
Cab files allow developers to compress and to package multiple files for distribution or for storage purposes.
Cab files are often used as part of software installation packages and driver updates.
Among the several files the threat actor has been deploying are obfuscators and tools for disabling Windows Defender and other endpoint threat detection and response systems on the victim machine.
Evan Dornbush, former NSA cybersecurity expert and co-founder of Point3 Security, says the attacker's tactic of packaging multiple known tools together and deploying them through nested cab files can be challenging for defenders to handle.
The approach not only facilitates defense evasion, it also makes malware eradication harder to achieve and to confirm.
Outpost24 expects other threat actors will start using the same - or similar tactics - as Unfurling Hemlock to distribute malware in the future.
The key for defenders is to continue paying attention to the security basics.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 01 Jul 2024 21:55:07 +0000