Unfurling Hemlock: Threat group uses cluster bomb campaigns

July 1, 2024, 11:17 a.m.

Description

A threat actor dubbed Unfurling Hemlock has been observed distributing hundreds of thousands of malware samples in a campaign lasting several months. The malware is distributed using a 'cluster bomb' technique where each sample contains multiple stages of nested executable files, each containing additional malware payloads. The distributed malware includes stealers like Redline, RisePro, and Mystic Stealer, as well as loaders like Amadey and SmokeLoader. The campaign appears financially motivated and targets victims globally with no specific industry focus. The actor is suspected to be Eastern European based on language artifacts and hosting infrastructure.

Date

Published: July 1, 2024, 10:54 a.m.

Created: July 1, 2024, 10:54 a.m.

Modified: July 1, 2024, 11:17 a.m.

Indicators

fd7a9b8e52e2fbcb090d5f5046a73d6e42b421abf063083210889f3fcb47dee0

edfb4374d5c586f0690c95ff8cacb36bda6fb4743f20dda5e6f17e7e241edd47

da4f614c983fa226d813de390937389ae4d1e043dd86524aa7a5246fd587826b

be25926929b1aae0257d7f7614dd5ad637b8fd8e139c68f4d717e3dc9913e3cf

94115d0eae0422b6605f0f25841c29b7cc6c029472a983b21d1cedcd7fdcd647

8fe4d34a6a245c5acd3d1741213c1dd195468089b1a3fe80adfa6d8d8c94f2d8

80df101f1f93fa53b3dcbc315d3ec5d8c8330c08b5622ac3207f746d016b66dc

7f101603fbb2821504cf2c71fca0450689dfcd6d1f36e57e27f0392be0f2d1dd

7d18c67c13ec919f3950092319d11eda129c8498e171612e681eebf1c977493d

65923603a6f117c7460b8cc69009105208bdfa544b90446580915db8fe127ae8

5697652d0fd5b4a05ac00f6ec028fd3dc3e34ed7b112c4b8c6048eae72a8d326

35c55b402e770e25adf57ffbd408a428af9ce21a735474b5d94ccdd4123e68f8

301a1c9f4e82fc8f57577ea399a2591557ff57d337472c3f8482a89c5b4105d5

1f224093b9557dd73caaf1c6a823028c286ddd3414bceb0860e0fe084fb8c2ab

0ef7459cebfe9bd9102c5eccc16eedddec5931e69bf705aa44aa3c7af584f209

0c48529d2979698341e89d6ea5f7e9211fa277e40d3f6a55a8996135944ebdad

37b9e74da5fe5e27aaedc25e4aac7678553b6d7d89ec4d99e8b9d0627dcbdc12

229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2

77.91.124.86

77.91.124.20

77.91.124.1

5.42.92.93

31.192.237.75

194.169.175.235

195.123.218.98

193.233.255.73

193.233.132.12

185.46.46.146

185.172.128.79

176.113.115.145

109.107.182.45

89.23.100.93

185.161.248.142

109.107.182.3

77.91.68.29

77.91.68.21

77.91.124.130

185.215.113.68

http://globalsystemperu.com/forms/gate4.exe

http://77.91.124.1/theme/index.php

http://77.91.124.20/store/games/index.php

http://77.91.68.29/fks/

http://193.233.255.73/loghub/master

http://185.46.46.146/none/vah50.exe

http://185.215.113.68/theme/index.php

http://109.107.182.45/red/line.exe

http://109.107.182.3/some/love.exe

http://109.107.182.3/love/bongo.exe

http://77.91.68.21/nova/foxi.exe

http://77.91.124.130/gallery/photo_570.exe

http://5.42.92.93/i/smo.exe

http://5.42.92.93/39902/from.exe

host-file-host8.com

host-file-host6.com

globalsystemperu.com

Attack Patterns

Mystic Stealer

Amadey - S1025

SmokeLoader

Redline

RisePro

Unfurling Hemlock

T1197

T1027.002

T1071

T1543

T1055

T1036

T1140

T1027

T1195

T1566

T1003

T1059