Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,334
- Points
- 113
Cybersecurity company Outpost24 has detected the activity of a new group called Unfurling Hemlock, which infects target systems with multiple malware carriers at once and distributes hundreds of thousands of malicious files.
Researchers describe this method of infection as a "malvari cluster bomb", which allows attackers to use just one sample of malware, which then provides additional infection to the victim's machine.
According to the company, Unfurling Hemlock activity began back in February 2023, and researchers found more than 50,000 files with such "cluster bombs".
It is noted that more than half of all Unfurling Hemlock attacks were directed at systems in the United States, but relatively high activity was also observed in Germany, Russia, Turkey, India and Canada.
Attacks start with file execution WEXTRACT.EXE, which gets to the target devices either through malicious emails or through malware loaders that Unfurling Hemlock has access to (it is assumed that hackers cooperate with their operators).
The malicious executable file contains nested cabinet files, each level of which contains a malware sample and another compressed file. At each stage of unpacking, some malware is installed on the victim's machine, and at the final stage, all extracted files are executed in reverse order (that is, the last extracted file is executed first).
Outpost24 experts write that they observed from four to seven stages of unpacking, that is, the amount of malware used in Unfurling Hemlock attacks varies.
Uploading multiple payloads to a compromised system at once provides a high level of redundancy for attackers, giving them more opportunities to gain a foothold in the system and monetize it. Despite the increasing risk of detection in such cases, many hackers follow a similar aggressive strategy, hoping that at least some of their malware will remain in the process of cleaning the system.
Among the Unfurling Hemlock payloads, researchers noticed: Redline, RisePro and Mystic Stealer stylers, the custom Amadey loader, the SmokeLoader loader and backdoor, the Protection disabler utility designed to disable Windows Defender and other security solutions, the Enigma Packer tool for obfuscation and hiding payloads, the Performance checker utility used to check and log malware execution, as well as utilities that use standard Windows tools (wmiadap.exe and wmiprvse.exe) to collect system information.
Although the researchers do not go into details about how Unfurling Hemlock monetizes its attacks, it can be assumed that the group sells other criminals styler logs and access to hacked machines.
Apparently, Unfurling Hemlock members are located in one of the Eastern European countries. This is indicated by the presence of the Russian language in some malvari samples, as well as the use of Autonomous System 203727, which is associated with hosting that is popular among hack groups in this region.
Researchers describe this method of infection as a "malvari cluster bomb", which allows attackers to use just one sample of malware, which then provides additional infection to the victim's machine.
According to the company, Unfurling Hemlock activity began back in February 2023, and researchers found more than 50,000 files with such "cluster bombs".
It is noted that more than half of all Unfurling Hemlock attacks were directed at systems in the United States, but relatively high activity was also observed in Germany, Russia, Turkey, India and Canada.
Attacks start with file execution WEXTRACT.EXE, which gets to the target devices either through malicious emails or through malware loaders that Unfurling Hemlock has access to (it is assumed that hackers cooperate with their operators).
The malicious executable file contains nested cabinet files, each level of which contains a malware sample and another compressed file. At each stage of unpacking, some malware is installed on the victim's machine, and at the final stage, all extracted files are executed in reverse order (that is, the last extracted file is executed first).
Outpost24 experts write that they observed from four to seven stages of unpacking, that is, the amount of malware used in Unfurling Hemlock attacks varies.
Uploading multiple payloads to a compromised system at once provides a high level of redundancy for attackers, giving them more opportunities to gain a foothold in the system and monetize it. Despite the increasing risk of detection in such cases, many hackers follow a similar aggressive strategy, hoping that at least some of their malware will remain in the process of cleaning the system.
Among the Unfurling Hemlock payloads, researchers noticed: Redline, RisePro and Mystic Stealer stylers, the custom Amadey loader, the SmokeLoader loader and backdoor, the Protection disabler utility designed to disable Windows Defender and other security solutions, the Enigma Packer tool for obfuscation and hiding payloads, the Performance checker utility used to check and log malware execution, as well as utilities that use standard Windows tools (wmiadap.exe and wmiprvse.exe) to collect system information.
Although the researchers do not go into details about how Unfurling Hemlock monetizes its attacks, it can be assumed that the group sells other criminals styler logs and access to hacked machines.
Apparently, Unfurling Hemlock members are located in one of the Eastern European countries. This is indicated by the presence of the Russian language in some malvari samples, as well as the use of Autonomous System 203727, which is associated with hosting that is popular among hack groups in this region.
