Researchers have been tracking the activity of a newly discovered threat actor group, Unfurling Hemlock, that may have been active for a while due to finding similar characteristics in older campaigns. These threat actors have distributed over 50,000 malware samples, which infect victims’ systems with up to ten different forms of malware at a time, mainly with information stealers and loaders. Researchers have considered these to be a type of “cluster bomb” attack, where each step of the attack includes an additional form of malware.

Unfurling Hemlock’s attack begins through a phishing email or an external website that initiates contact with the malware loaders to drop the malware. Upon executing a malicious file named WEXTRACT.EXE, a chain of infections starts, and a series of nested compressed cabinet files begin to unpack malware onto the system. Researchers have found that each cabinet file includes a malware sample and the subsequent compressed file. The final compressed file contains two malware samples.

In the observed sample, Unfurling Hemlock was found to drop Mystic Stealer, Amadey, Redline, SmokeLoader, and finally, a second instance of Mystic Stealer and a utility that turns off system protections. Once the final stage has been extracted, the files execute in reverse order, starting with the utility disabling essential security features, such as Windows Defender, automatic updates, and notifications.

Recommendations

• Avoid clicking links and opening attachments in unsolicited emails.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
• Facilitate user awareness training to include these types of phishing-based techniques.
• Maintain robust and up-to-date endpoint detection tools on every endpoint.
• Consider leveraging behavior-based detection tools rather than signature-based tools.
• Phishing and other malicious cyber activity can be reported to the FBI’s IC3 and the NJCCIC.