A recent malware campaign conducted on a global scale has attracted the attention of cybersecurity researchers. The campaign, which involves the distribution of malware through artificially nested files named ‘WEXTRACT.EXE .MUI’, has affected more than 50,000 files worldwide. Various stealers and loaders such as Redline, RisePro, and Amadey are being used to distribute these files.

One of the key findings of the researchers is that several samples associated with this malware campaign are linked to an Eastern European cybercriminal-linked Autonomous System. This suggests that there may be a single group responsible for orchestrating this massive distribution of malware.

OutPost24, a cybersecurity research firm, recently discovered that a new hacker group has been launching attacks using multiple malware samples simultaneously. This tactic has been made possible through the use of the ‘WEXTRACT.EXE .MUI’ malware distribution system, which employs nested cabinet files to distribute a variety of malware, including stealers and loaders.

The complexity of this distribution system lies in its execution sequence, which drops and runs malware in reverse order. This method could potentially bypass security measures and result in multiple infections, as the loaders may download additional malware. The malware campaign, which began in February 2023 and continued into 2024, has evolved over time to include multiple malware families such as Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader.

Through an examination of over two thousand samples, researchers have identified instances where victims could be infected by multiple stealers and loaders simultaneously. This suggests that the campaign is orchestrated by a single actor who is behind the infrastructure and tactics used in this operation.

The malware campaign, known as “Unfurling Hemlock”, has been found to purchase distribution services from other actors. The campaign initially spread through email attachments and downloads from compromised websites. The infrastructure, primarily based on AS 203727, uses both exclusive and shared IPs to distribute malware.

While the malware campaign uses different C2 URLs and IP addresses, researchers believe that there is a single actor responsible for the campaign who delegates distribution aspects to others. The diversity in infrastructure supports the theory that the actor may be supplying samples from other campaigns for financial gain.

Despite the widespread distribution of the malware, the infection sources span across multiple countries. Interestingly, the campaign targets Western institutions, including those in Russia, in a departure from the usual trend of malware attacks. This tactic, known as the “cluster bomb” method, involves launching different types of malware simultaneously to increase the chances of infection and diversify potential paybacks.

To mitigate the risk of infection, researchers recommend using the latest anti-malware tools, analyzing packed files, and exercising caution with suspicious downloads and emails. As threat actors continue to evolve their tactics, it is crucial for organizations and individuals to remain vigilant in protecting their systems and data from cyber threats.

Source link