While reviewing common TTPs in malware campaigns used last year Outpost24’s Cyber Threat Intelligence team, KrakenLabs, came across several reports and articles describing a novel infection technique being used to distribute various types of malware not necessarily related to each other. For example, this article analyzing Amadey and this one talking about Redline. Upon closer inspection, we found that what was being discussed shared a number of characteristics, and that tens of thousands of samples appeared to be involved. This made us think that rather than a novel distribution technique being used by various malicious actors, we might have encountered a several-month-spanning massive campaign being carried out by a single group.
The notable characteristics shared by all those samples were:
- The malware was distributed using a type of compressed files known as cabinet files
- These compressed files were given the name “WEXTRACT.EXE .MUI”
- The distribution samples contained other compressed files with the same characteristics, which in turn contained other compressed ones, with this nesting repeating up to seven times in some cases
- Each compressed file contained two files: another compressed file and a malware sample. The deepest compressed file contained two malware samples
- At least 50k files sharing these characteristics have been observed in the wild all over the world, with malware samples related to the campaign reaching the hundreds of thousands
- The distributed malware mainly consisted of stealers, such as Redline, RisePro and Mystic Stealer, and loaders such as Amadey and SmokeLoader
- While samples appeared to be distributed from various sources, a lot of them were connected to hosts within the Autonomous System 203727, an AS related to hosting services that have been widely used by Eastern European cybercriminals in the past
Introducing Unfurling Hemlock
So, what we had in our hands was likely an Eastern European group using several distribution channels to scatter hundreds of thousands of malware samples, infecting each victim with up to ten of them at the same time. We named the actor ‘Unfurling Hemlock’ because the samples distributed by them act as some sort of malware ‘cluster bomb’, where a single sample unfurls to spread several malware samples when infecting its victims. This appears to be a very thorough attempt to cover all bases and maximize benefit.
Many distribution files contained utilities designed to aid in the success of an infection, such as obfuscators and tools to disable Windows Defender and other protection systems. Furthermore, some of the samples appeared to be linked to other operations, which is a strong indicator that the actor might have been getting paid per infection. When all of this is put together, we have a situation where the actor has a chance, with a single initial file, to steal the information from the victim, load further malware into the victim’s machine, and get paid for the infection using the malware of another group, all at the same time or any combination of the above.
Within a reasonable degree of certainty, we can assume the following facts about the adversary:
- The group is based in an Eastern European country. Evidence to support this fact is the presence of the Russian language in some samples, as well as the infrastructure used to host and distribute the malware
- Following how the malware was distributed, it’s safe to assume that Unfurling Hemlock contracted other operators to spread the malware, mainly using loaders and email
- The actor did not seem to have a particular target and the objective of the campaign was to spread as much malware as possible to as many victims as possible
- It’s almost certain that the group’s main motivation was financial gain. Factors that brought us to this conclusion are the nature of the malware being dropped (mainly generic loaders and stealers), the massively widespread distribution, and the fact that Unfurling Hemlock was most likely spreading malware from other groups, probably in exchange for a fee.
Standard sample behavior
The distribution sample is called “WEXTRACT.EXE .MUI”, a 32 bit PE file which, upon execution, drops two files. One, a malware sample or a utility to aid with infection. The other, a file similar to its parent, containing two more files, a malware or a utility and another executable containing two more files, etc. The amount of nesting varies from sample to sample, but we have observed up to seven cycles following this pattern.
The malware being distributed using this technique is mostly comprised of stealers, such as Redline, RisePro and Mystic Stealer, and loaders such as Amadey and SmokeLoader. Now, don’t let the name of the samples deceive you. Wextract.exe is a legitimate Windows executable used to extract a type of compressed file known as cabinet files. It’s likely that the actor is using cabinet files because they allow the automatic execution of its contents once extracted.
The execution order is as follows. First, all the malware is dropped, in other words, all the different compressed files are extracted until the last iteration, where no further cabinet files are left. Then, the resulting “tree” is traversed in a reverse order, first executing the latest dropped malware, then the malware dropped in the previous cycle and this is repeated up to the first one. The following shows a simplified diagram of the execution order:
In the diagram, each node has been numbered by the execution order. Nodes 1 to 4 are the binaries with the cabinet files, while nodes 5 to 9 are malware samples, such as Redline or Smokeloader. This paradigm led to some “suboptimal” execution orders, mostly in the first days of the campaign. For example, node 7 would be an executable known as healer.exe, a utility designed to deactivate Windows Defender. However, nodes 5 and 6 would be a Redline and an Amadey, meaning that Windows Defender had only been deactivated for the execution of the malware in nodes 8 and 9, potentially hindering infections.
The following image shows the execution tree of a real sample, 37b9e74da5fe5e27aaedc25e4aac7678553b6d7d89ec4d99e8b9d0627dcbdc12, as an example:
The 5th “nest” drops another nest and a sample of Smokeloader. In the image, no further connections are made since at the time of analysis, the C2 was down. However, in other cases, such as the one involving the sample 65923603a6f117c7460b8cc69009105208bdfa544b90446580915db8fe127ae8, successful connections were achieved, and several Redline samples loaded on the machine. This means that a victim is not only liable to be infected by the malware dropped following this cluster bomb approach, but the presence of loaders also exposes them to many more potential malware infections.
Analyzing the campaign
A huge distribution campaign using this method was carried out during the last year. From around February 2023 to the beginning of 2024, tens of thousands of samples were distributed this way. Some cursory searches yielded more than 50K of these cluster bombs only in VirusTotal, each of which could potentially drop another one or several stealers and droppers that could drop even further malware.
Some irregularities were also observed. Different samples had different amounts of nesting, usually ranging from 4 to 7 nests, even fewer in some cases. It is possible that the detected samples with lesser nesting were in fact “middle” stages, and they were not successfully correlated with their parents, or were samples that had been reused in other infection attempts.
The malware distributed was usually from the following families, although some others were involved:
- Redline: One of the most prolific and widely adopted stealers in the world.
- Mystic Stealer: Stealer following the Malware as a Service (MaaS) model.
- RisePro: Relatively new stealer that has been gaining popularity during the last few months.
- Amadey: A custom-made loader being sold in underground forums since 2018.
- SmokeLoader: A generic backdoor that has been actively distributed and maintained for about a decade.
However, there does not seem to be a constant in the combination and order of execution of the malware. It evolved over time, most likely depending on which malware and malware combinations had the highest potential to be lucrative. We did manage to observe a certain evolution. For example, in earlier samples observed in the wild (be25926929b1aae0257d7f7614dd5ad637b8fd8e139c68f4d717e3dc9913e3cf), we found mistakes like the one described above, where the tool to disable Windows Defender was executed after the some malware was already deployed.
More recent samples also began including tools like Enigma, a packer used to obfuscate malware, and utilities that execute native Windows tools like wmiadap.exe and wmiprvse.exe, likely to collect statistical information about victims and gather information about the success of the infections. Distribution methods also varied, with samples being dropped by loaders that also dropped other kinds of malware, samples found on sites referred by other malware, or on sites with names that suggest they were used in phishing or deception campaigns.
To perform this analysis, we decided to use a fraction of the samples. Those were chosen by identifying distribution samples and following their complete execution, recording each intermediate stage and dropped malware. In total, for this exercise, more than 2,100 samples were used, extracted both from VirusTotal and our own systems. The following image is the result of plotting this fraction of the samples belonging to the campaign:
The color scheme is the same as in the example showed above, with blue nodes being the distributed samples, yellow nodes the intermediate compressed files and the red ones being the malware per se. From the initial chaos, several “patterns” can be observed. First, independent groups following the same structure as the one described in the example, with a parent and several intermediate stages each dropping a different malware. Since this is the most common occurrence in the course of the campaign, let’s do a deep dive in one of them:
It all started with the distribution sample, which was downloaded from hxxp://185.46.46.146/none/vah50.exe, after being contacted by a loader. This stage dropped a utility that basically checks the performance of the execution, and the next stage, the ‘first intermediate stage’.
Mystic Stealer
The first intermediate stage drops the second intermediate stage and a sample of Mystic Stealer. Mystic Stealer is mainly focused on data theft and can steal credentials from nearly 40 different web browsers and more than 70 browser extensions. It also targets cryptocurrency wallets, Steam, and Telegram. This stealer malware exhibits capabilities that allow it to extract a wide array of information. It is designed to collect information from infected machines such as the system hostname, username, and GUID. It also identifies a likely system user geolocation using the locale and keyboard layout. This sample contacts with hxxp://193.233.255.73/loghub/master, a C2 connected to Mystic Stealer and contacted by thousands of samples belonging to this campaign.
Amadey
The second intermediate stage drops a sample of Amadey. Amadey is a botnet advertised in Russian forums since October 2018. According to some ads, the loader appears to have been originally commissioned for use by a private individual or gang, but for whatever reason, the client decided not to purchase the final product. This allegedly led its developer to offer the malware for sale publicly. The price of Amadey has fluctuated somewhat throughout time. The malware is typically available for US$600, though it is frequently offered for sale at a temporarily discounted price. The loader has been used in several well-known campaigns distributing all manner of malware, from ransomware to other loaders.
In the case of this sample, the C2 is hxxp://77.91.124.1/theme/index.php, which is contacted by several thousand samples, some belonging to this particular campaign as well as others not apparently linked to it.
Redline
The third intermediate stage in the chain drops a sample of Redline. Redline is an extremely popular stealer written in C# and discovered in March 2020. Initially, it implemented SOAP (Simple Object Access Protocol) over HTTP for its communications with the C&C. However, for a while now, it uses Net.TCP Port Sharing Protocol instead. Being a stealer, its main goal is to export all sorts of personal information, such as credentials, cryptocurrency wallets, and financial data, and upload it to the malware’s C2 infrastructure.
It’s very versatile and widely popular and has been used in uncountable campaigns and paired with every kind of malware, from cryptominers to ransomware. In this case, the sample sends the stolen information to tcp[:]//77.91.124.86:19084, a Redline C2 contacted by thousands of samples belonging to this campaign.
Smokeloader
The fourth compressed file drops a sample of Smokeloader. Smokeloader is a generic backdoor with a range of capabilities depending on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically, the actual download returns an HTTP 404 but still contains data in the Response Body.
Smokeloader has been offered for sale on Russian-language underground forums such as Exploit and XSS (formerly DamageLab) since 2011. It is currently one of the most widely used loaders in the world. In the case of this sample, the C2 is hxxp://77.91.68.29/fks/, which is contacted by thousands of samples from both this and unrelated campaigns.
Mystic Stealer + Utility
Finally, the last compressed intermediate file drops two malware samples. The first is another sample of Mystic Stealer, which contacts the same C2 as the one discussed above, hxxp://193.233.255.73/loghub/master. The other is a utility that manipulates the registry keys of the victim trying to disable system protections.
Once all intermediate stages have been extracted and all malware has dropped, execution begins in reversed order. First, the utility disables several features, like Windows Defender, Windows Updates and notifications. Then the second sample of Mystic Stealer, Smokeloader, Redline, Amadey, the first sample of Mystic Stealer are executed in that order and, finally, the performance tracking utility at the end. If every execution is successful, the victims find themselves infected by three stealers and two loaders, which could be used to drop further malware, and their machine’s defenses disabled.
Sample | Hash |
Distribution sample | 229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2 |
Performance checker | 8fe4d34a6a245c5acd3d1741213c1dd195468089b1a3fe80adfa6d8d8c94f2d8 |
First intermediate stage | fd7a9b8e52e2fbcb090d5f5046a73d6e42b421abf063083210889f3fcb47dee0 |
Mystic Stealer 1 | 35c55b402e770e25adf57ffbd408a428af9ce21a735474b5d94ccdd4123e68f8 |
Second intermediate stage | 5697652d0fd5b4a05ac00f6ec028fd3dc3e34ed7b112c4b8c6048eae72a8d326 |
Amadey | edfb4374d5c586f0690c95ff8cacb36bda6fb4743f20dda5e6f17e7e241edd47 |
Third intermediate stage | da4f614c983fa226d813de390937389ae4d1e043dd86524aa7a5246fd587826b |
Redline | 7d18c67c13ec919f3950092319d11eda129c8498e171612e681eebf1c977493d |
Fourth intermediate stage | 0c48529d2979698341e89d6ea5f7e9211fa277e40d3f6a55a8996135944ebdad |
SmokeLoader | 80df101f1f93fa53b3dcbc315d3ec5d8c8330c08b5622ac3207f746d016b66dc |
Fifth intermediate stage | 7f101603fbb2821504cf2c71fca0450689dfcd6d1f36e57e27f0392be0f2d1dd |
Mystic Stealer 2 | 1f224093b9557dd73caaf1c6a823028c286ddd3414bceb0860e0fe084fb8c2ab |
Protection disabler | 301a1c9f4e82fc8f57577ea399a2591557ff57d337472c3f8482a89c5b4105d5 |
Going back to the Figure 3 , we can observe several outliers, with some chains where the intermediate stages do not drop any malware, or there is only one iteration of the campaign’s characteristic loop. This is most likely because the sampling was mainly done using time constraints, so the pool may have been tainted by some intermediate samples, some broken ones, and some that have been repackaged and modified.
However, what’s most striking about the graph is the huge clustering observed in the middle, with malware samples being dropped by dozens of compressed parents. These are, mainly, utilities to assist in the infection and hinder detection. Some of the most prevalent are Enigma, a packer usually used to obfuscate payloads, and Healer, a utility used to disable Windows Defender.
Then, there is the lighter clustering where some middle stages and malware are shared by a few parents. For example, as shown in Figure 5, several of the malware shared among various intermediate stages and distribution samples are stealers such as RisePro.
All this clustering, together with the fact that the infrastructure seems to be mostly contained within the same ASN, supports the idea that this campaign was perpetrated by a single actor.
How was the distribution carried out?
From the pool of samples analyzed, most of the first stages were detected being sent via email to different companies or being dropped from external sites that were contacted by external loaders.
With the sample 94115d0eae0422b6605f0f25841c29b7cc6c029472a983b21d1cedcd7fdcd647 as an example:
This sample was downloaded from hxxp://5.42.92.93/39902/from.exe, which was contacted by 0ef7459cebfe9bd9102c5eccc16eedddec5931e69bf705aa44aa3c7af584f209, a loader downloaded from hxxp://globalsystemperu.com/forms/gate4.exe, a site that appears to be either a fake or compromised. This site is related to downloads of other malware completely unrelated to the campaign being discussed here.
Loaders like the one on the diagram as well as WEXTRACT samples have also been detected by email protection services. This, coupled with the fact that the initial site is related to completely independent campaigns, makes us suspect that it is likely thatUnfurling Hemlock is purchasing malware distribution services from other actors.
The following are just some examples of other URLs contacted in a similar fashion to download WEXTRACT:
- hxxp://77.91.124.130/gallery/photo_570.exe
- URL and IP used exclusively to download WEXTRACT samples
- URL contacted by samples both related and unrelated to WEXTRACT
- hxxp://109.107.182.3/love/bongo.exe
- URL and IP used exclusively to download WEXTRACT samples
- URL contacted by samples both related and unrelated to WEXTRACT
IP used to distribute other malware (other paths)
- hxxp://77.91.68.21/nova/foxi.exe
- URL used exclusively to download WEXTRACT samples
- URL contacted by samples related to WEXTRACT
- IP used to distribute other malware (other paths)
- hxxp://109.107.182.45/red/line.exe
- URL and IP used exclusively to download WEXTRACT samples
- URL contacted by samples both related and unrelated to WEXTRACT
- IP used to distribute other malware (other paths)
- hxxp://109.107.182.3/some/love.exe
- URL used exclusively to download WEXTRACT samples
- IP used to distribute other malware (other paths)
- hxxp://5.42.92.93/i/smo.exe
- URL and IP used exclusively to download WEXTRACT samples
- URL contacted by samples both related and unrelated to WEXTRACT
Most of the infrastructure is located in the AS 203727 (Daniil Yevchenko), which is notoriously used by cybercriminals to host malicious material. Some IPs appear to be exclusive to the distribution of WEXTRACT while others host other malware, supporting the fact that while the actor seems to be a single individual or group. The infection and distribution might be relegated to other parties.
What was contacted?
As seen in the deep dive of an infection loop shown above, the distributed malware made connections to several command and control addresses. Here are some C2 URLs and IP Addresses contacted by certain samples associated with this campaign.
- host-file-host6.com
- URL contacted by malware not exclusively related to WEXTRACT
- host-file-host8.com
- URL contacted by malware not exclusively related to WEXTRACT
- 185.215.113.68/theme/index.php
- URL contacted by malware not exclusively related to WEXTRACT
- 77.91.124.1/theme/index.php
- URL mostly contacted by malware related to WEXTRACT
- 77.91.124.20/store/games/index.php
- URL and IP mostly contacted by malware related to WEXTRACT
- 176.113.115.145:4125
- IP only contacted by malware related to WEXTRACT
- 176.123.7.190:32927
- IP only contacted by malware related to WEXTRACT
- 89.23.100.93
- IP contacted by malware not exclusively related to WEXTRACT
- 195.123.218.98
- IP mostly contacted by samples related to WEXTRACT
- 31.192.237.75
- IP mostly contacted by samples related to WEXTRACT
- 193.233.132.12
- IP contacted by malware not exclusively related to WEXTRACT
- 185.161.248.142
- IP mostly contacted by samples related to WEXTRACT
- 194.169.175.235
- IP mostly contacted by samples related to WEXTRACT
- 20.79.30.95
- IP contacted by malware not exclusively related to WEXTRACT
- 185.172.128.79
- IP contacted by malware not exclusively related to WEXTRACT
The behavior observed by the dropped malware also reinforces the theory that, at least for some of the samples, the actor distributed samples belonging to other campaigns, most likely in exchange for a fee per infection or a similar deal.
Who was targeted?
The origin of the analyzed samples is shown in the below table. However, it’s worth remembering that these are the countries from where the samples were uploaded to VT and our own systems, and not necessarily the country where the infection took place:
Country | Percent |
United States | 50.8% |
Germany | 7.8% |
Russia | 6.3% |
Turkey | 6.3% |
India | 3.9% |
Canada | 2.8% |
Czechia | 2.4% |
China | 2.3% |
Spain | 2.0% |
South Korea | 1.2% |
Other | 20.5% |
Targeting of western institutions is par for the course when talking about massive malware distribution campaigns by Eastern European groups, so it’s no surprise that the top two sources are the US and Germany. The presence of Asian and Middle Eastern countries is also expected if we consider that, as it is most likely, the actor purchased infections from several distributors and some of them specialize or offer services on those regions.
What is unusual is the presence of Russia among the targeted countries. Usually, actors from the region avoid targeting members of the Commonwealth of Independent States (CIS), since Russian authorities tend to not prosecute cybercrime if it does not affect their territory or that of their allies. The presence of the country could be explained by several factors. It could be that some of the distributors used by Unfurling Hemlock were not based on a country member of the CIS, so restrictions did not apply. It is also possible that samples uploaded from Russia were uploaded using proxies to hide their real origin or by security solutions that are based on that country. Probably, it is a combination of all the above.
Most of the samples were uploaded to services like Virus Total and our systems using APIs, which is an indicator of automated security solutions detecting them. We have also observed several samples being detected and intercepted by email protection services. At first glance, it appears that the main targets are companies and other private institutions, but this could be a case of survivor’s bias. Usually, it’s this kind of organization that will have systems that upload samples with malware hunting capabilities while private individuals are less likely to do so.
By the nature of the technique and the malware being used, it’s highly probable that there is not a particular target in the minds of the attackers, and that any system flawed enough to be infected by the malware contained within the “cluster bombs” is a viable objective, regardless of location, position, and environment.
Analysis from KrakenLabs
In this campaign, our threat intelligence team has observed what seems to be an obvious course to follow when trying to maximize benefit in a malware distribution campaign. It stands to reason that if an infection with a single malware is successful, other infections with malware of similar characteristics should also succeed. And this paradigm is usually followed by infecting the target with a loader, a RAT, or a backdoor and then dropping several types of malware, such as stealers, cryptominers, or ransomware. However, this technique has a critical point of error. If the loader is detected or is unable to contact the C2, no further infection will occur.
What we observed in this campaign is a way to work around this issue. Now, once the file is in the victim’s system, all of it will be deployed. This ensures that at least an attempt of infection will be made with each malware contained in the sample. This can also be used to introduce redundancy by, for example, adding several different loaders to increase the chances of a successful connection then dropping more malware, this way maintaining the flexibility provided by the classical technique. This also allows the “diversification” of benefits, where the actor can, with a single file, infect a victim with their malware while also distributing other groups’ malware for a fee and even dropping loaders, RATs, and selling accesses. Finally, this also is very useful as a “saving” strategy, since malware distribution can be a costly endeavor when working with high volumes.
After what we have seen in this campaign, it’s likely that this technique, or a similar one might gain popularity in the future and be used by other groups. In fact, while working on this piece, we found out that researchers from ANY.RUN documented a very similar campaign, dubbing the malware CrackedCantil. Furthermore, although it appears that the number of samples is greatly reduced and the campaign is no longer active, this does not mean that the actor has ceased operations. They might have moved to another infrastructure and evolved their technique or might be dormant preparing to launch a similar attack in the near future.
So, how can potential victims protect themselves against this kind of threat? At the end of the day, these “cluster bombs” are not very complex nor show a high degree of sophistication regarding obfuscation and anti-analysis techniques, and most of the malware dropped and executed in victim’s machines are very widely known and documented. They’re easily detected by most anti-malware solutions and protection services. Hence, as long as your defenses are capable of analyzing the contents of compressed files and/or execute suspicious software, and end users apply common sense, never downloading, opening nor executing anything from suspicious sites and emails, they should be protected against this technique.
Outpost24’s KrakenLabs will continue to analyze new malware samples as part of our Threat Intelligence solution, which can retrieve compromised credentials in real-time to prevent unauthorized access to your systems. Get in touch to find out how Outpost24’s Threat Intelligence could fit in with your organization.
Source: https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/