A threat group likely from Eastern Europe has been showering victims with hundreds of thousands of malware samples, each of which will unleash as many as 10 pieces of malware simultaneously into the targeted systems.

The attacks that started early last year unfolded in a manner reminiscent of Russian nesting dolls, with the malware being distributed using compressed files known as “cabinet files,” according to researchers with KrakenLabs, Outpost24’s threat intelligence unit.

The distribution malware sample contained other compressed files with the same characteristics, which also contained other compressed files, and so on, with the pattern repeating as many as seven times, Hector Garcia, threat infrastructure researcher for KrakenLabs, wrote in a report. Each compressed file held two files – a compressed file and a malware sample. The last compressed file in this chain contained two malware samples.

As many as 50,000 files with these features have been seen in the wild worldwide, with the number of malware samples hitting the hundreds of thousands.

The researchers named the threat actor Unfurling Hemlock “because the samples distributed by them act as some sort of malware ‘cluster bomb’, where a single sample unfurls to spread several malware samples when infecting its victims,” Garcia wrote. “This appears to be a very thorough attempt to cover all bases and maximize benefit.”

Obfuscators and Disabling Tools Included

The distribution files also contained obfuscators and tools for disabling Windows Defender and similar security systems, he said, adding that some of the samples also appeared to be linked to unrelated campaigns, indicating that that the cybercriminals behind Unfurling Hemlock likely was getting paid per infection.

“When all of this is put together, we have a situation where the actor has a chance, with a single initial file, to steal the information from the victim, load further malware into the victim’s machine, and get paid for the infection using the malware of another group, all at the same time or any combination of the above,” Garcia wrote.

KrakenLabs researchers caught onto this while reviewing details of campaigns run last year. They read reports and articles featuring a new infection technique that was being used to distribute types of malware – like Amadey, a custom loader, and Redline, a widely used information stealer – that weren’t related to each other. They uncovered similar characteristics and found that tens of thousands of sample were involved, changing their thoughts from a new distribution technique by various bad actors, it was a single massive campaign spanning from February 2023 to the beginning of this year and carried out by one group.

Starting with Phishing, Malware Loaders

The Unfurling Hemlock operators launched their attacks by distributing the file named WEXTRACT.EXE through phishing emails sent to different companies or other deception techniques or through loaders that also dropped other kinds of malware.

From there the nesting process begins, with each compressed file launching the malware and compressed file it carries, and that compressed file launching its own malware and compressed file. Once the process is complete, the extracted files are run in reverse order, with the most recent malware executed first and then running in order back up the chain.

Most of the malware distributed came from five families that included Redline and Amadey. Others were Mystic Stealer, which uses the malware-as-a-service model, an increasingly popular new information stealer called RisePro, and SmokeLoader, a backdoor that has been circulating for about 10 years.

There was no set combination of what malware was executed in each attack and some of the more recent samples of Unfurling Hemlock included a packer called Enigma that’s used to obfuscate the malware and utilities for executing Windows tools to gather information about victims and about the success of the attacks.

The distributed malware also contacted with several control-and-command (C2) addresses, Garcia wrote, adding that “the behavior observed by the dropped malware also reinforces the theory that, at least for some of the samples, the actor distributed samples belonging to other campaigns, most likely in exchange for a fee per infection or a similar deal.”

The United States seem to be home to just more than half of Unfurling Hemlock’s targets, followed by Germany, Russia, Turkey, India, and other countries in North America and Asia. Attacks on Western and Asian countries by Eastern European hackers is expected, though the targeting of Russia is unusual.

Maximizing Returns

Unfurling Hemlock’s throwing a lot of malware at victims makes sense for cybercriminals looking to maximize returns in a malware distribution campaign, he wrote.

“It stands to reason that if an infection with a single malware is successful, other infections with malware of similar characteristics should also succeed,” Garcia wrote. “And this paradigm is usually followed by infecting the target with a loader, a RAT, or a backdoor and then dropping several types of malware, such as stealers, cryptominers, or ransomware. However, this technique has a critical point of error. If the loader is detected or is unable to contact the C2, no further infection will occur.”

Evan Dornbush, a former computer network operator with the National Security Agency (NSA) and co-founder of the cybersecurity company Point3 Security, said Unfurling Hemlock’s operations – packaging multiple malicious tools that could evade defensive technologies or, if detected, only be partially removed from infected systems, illustrates the need to support cybersecurity research.

“In other words, things the defensive community thought were solved are still able to have harmful impact,” Dornbush said. “This report highlights how both attackers and defenders incrementally improve looking at prior works.”