A single infection is being used to deliver a group of similarly behaving malware using a common loader.
In a newly discovered campaign, an Eastern European threat actor is found using a novel “cluster bomb” approach to package a cascading malware deployment within a single infection.
Dubbed “Unfirling Hemlock,” the actor is dropping up to 10 unique malware files on the same infected system at one go, according to research by Outpost24.
“While reviewing common TTPs in malware campaigns used last year Outpost24’s Cyber Threat Intelligence team, KrakenLabs, came across several reports and articles describing a novel infection technique being used to distribute various types of malware not necessarily related to each other,” Hector Garcia, threat infrastructure researcher at KrakenLabs, said in a blog post. “Upon closer inspection, we found that rather than a novel distribution technique being used by various malicious actors, we might have encountered a several-month-spanning massive campaign being carried out by a single group.”
Based on the origin of the analyzed samples, the research concluded that the campaign is mostly targeting the US, Germany, and Russia.
Malware nest for maximum impact
“In this campaign, our threat intelligence team has observed what seems to be an obvious course to follow when trying to maximize benefit in a malware distribution campaign,” Garcia said. “It stands to reason that if an infection with a single malware is successful, other infections with malware of similar characteristics should also succeed.”
These kinds of infections are usually carried out by infecting the target with a loader, a RAT, or a backdoor and then dropping several types of malware, such as stealers, cryptominers, or ransomware.
Unfurling Hemlock, within their “cluster bomb” infections, has been using distributed malware mainly consisting of stealers, such as Redline, RisePro, and Mystic Stealer, and loaders such as Amadey and SmokeLoader.
The downside, Garcia explained, of using such a technique is if the loader is detected or is unable to contact the C2, no further infection will occur.
From February 2023 to the beginning of 2024, the campaign distributed tens of thousands of such samples, leading to the detection of more than 50,000 cluster bombs, according to Virus Total.
Phished emails with .cab files
The malware was distributed using cabinet(.cab) files which are compressed archive files used in Microsoft Windows. Each compressed file contained two files: another compressed file and a malware sample. The deepest compressed file contained two malware samples, Garcia added in the blog.
Due to the nature of the technique and the malware being used, it is very likely that the attackers do not have a specific target in mind. Instead, any system with vulnerabilities that allow it to be infected by the malware, which is distributed like cluster bombs, is considered a viable objective, regardless of its location, position, or environment.
Most of the samples, in their first stage, were detected as being sent via email to different companies or being dropped from external sites that were contacted by external loaders.
“Most of the samples were uploaded to services like Virus Total and our systems using APIs, which is an indicator of automated security solutions detecting them,” Garcia added. “We have also observed several samples being detected and intercepted by email protection services.” These cluster bombs are simple and use well-known malware that most anti-malware solutions can detect. One should be safe if their defenses analyze suspicious files and they avoid dangerous links and emails, the blog noted.
