A threat actor tracked as Unfurling Hemlock has been infecting target systems with up to ten pieces of malware at the same time in campaigns that distribute hundreds of thousands of malicious files.
The types of malware delivered this way include information stealers, botnets, and backdoors.
The attacks begin with the execution of a file named 'WEXTRACT.EXE' that arrives on target devices either via malicious emails or malware loaders that Unfurling Hemlock has access to by contracting their operators.
The malicious executable contains nested compressed cabinet files, with each level containing a malware sample and yet another compressed file.
Each unpacking step drops a malware variant on the victim's machine.
When the final stage is reached, the extracted files are executed in reverse order, meaning the most recently extracted malware is executed first.
KrakenLabs has seen between four and seven stages, meaning that the number of steps and amount of malware delivered during Unfurling Hemlock attacks varies.
From the analyzed samples, the researchers deduced that over half of all Unfurling Hemlock attacks targeted systems in the United States, while relatively high-volume activity was also seen in Germany, Russia, Turkey, India, and Canada.
Dropping multiple payloads on a compromised system gives threat actors high levels of redundancy, providing more persistence and monetization opportunities.
Redline: A popular stealer malware that extracts sensitive information such as credentials, financial data, and cryptocurrency wallets.
Amadey: A custom-made loader used to download and execute additional malware.
It has been on the market since 2018 and is used in various campaigns for distributing various malware.
It is often used to download other types of malware and can disguise its C2 traffic by mimicking requests to legitimate sites.
Protection disabler: A utility designed to disable Windows Defender and other security features on the victim's system, modifying registry keys and system settings to reduce system defenses.
Enigma Packer: An obfuscation tool used to pack and hide the actual malware payloads, making malware detection and analysis more difficult for security solutions.
Performance checker: A utility to check and log the performance of the malware execution, gathering statistical information about the victim's system and the success of the infection process.
Outpost24 recommends that users scan downloaded files using up-to-date anti-virus tools before executing them, as all malware dropped in this campaign is well-documented and has known signatures.
Police seize over 100 malware loader servers, arrest four cybercriminals.
Snowblind malware abuses Android security feature to bypass security.
New Medusa malware variants target Android users in seven countries.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 27 Jun 2024 22:30:26 +0000