A malware campaign of huge magnitude, and perhaps run by just one group, is using artificially nested files for distribution named ‘WEXTRACT.EXE .MUI’.
More than 50,000 files worldwide featuring this method are delivered by different stealers and loaders such as Redline, RisePro, and Amadey.
Several samples are associated with an Eastern European cybercriminal-linked Autonomous System.
Cybersecurity researchers at OutPost24 recently detected that a new hacker group has been attacking the system with 1o malware at the same time.
10 Malware At Same Time
The “WEXTRACT.EXE .MUI” malware distribution system is one that makes use of nested cabinet files to distribute a number of malware samples such as stealers and loaders.
This method’s complex execution sequence drops and runs malware in reverse order, which may result in bypassing security measures.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
The technique could cause multiple infections as the loaders may download more malware.
From February 2023 through the start of 2024, a massive malware distribution campaign nested multiple malware families, such as Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader.
The campaign developed over time, incorporating obfuscation tools and different distribution methods.
An examination of over two thousand one hundred examples showed some malware combinations in which victims might be infected by several stealers and loaders simultaneously.
This suggests that there was a single actor behind the infrastructure and tactics for this campaign.
It is likely that the campaign to distribute malware called “Unfurling Hemlock” buys distribution services from other actors.
Its earliest phases were in email attachments and downloads from hacked or hoax websites.
The infrastructure, mostly based on AS 203727, uses both exclusive and shared IPs for distributing WEXTRACT and other malware.
This indicates one actor or entity that is responsible for the campaign but delegates some of its distribution aspects to others.
The malware campaign uses different C2 URLs and IP addresses, some of which are specific to the WEXTRACT-related malware and others that are common to other campaigns.
The diversity in infrastructure supports the insight that this actor could be supplying samples from other campaigns, possibly encouraged by financial interest.
While the upload locations may not indicate the actual infection sites, the infection sources cut across several countries.
Here below we have mentioned the countries:-
Unlike the usual trend, this huge malware attack mainly targets Western institutions, including Russia.
This operation launched different types of malware simultaneously to increase the possibilities of infection and diversify potential paybacks.
Though not highly developed, this “cluster bomb” method may be adopted by threat actors in the future.
Researchers recommended using the latest anti-malware tools, performing analysis of packed files, and user alertness to be cautious about suspicious downloads and emails.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files