Hackers are now using 'malware cluster bombs' in their attacks — how to stay safe

Credit: solarseven/Shutterstock

Having your computer infected with malware is bad enough but imagine if hackers were able to drop ten different malware strains onto your PC at the same time? Well, a new hacker group is now doing just that.

As reported by BleepingComputer, a threat actor known as Unfurling Hemlock has begun infecting vulnerable systems with what security researchers at KrakenLabs are calling “malware cluster bombs”.

According to a new blog post, Unfurling Hemlock has already launched these so-called malware cluster bomb attacks in 10 countries around the world, though the majority of them appear to be aimed at targets in the U.S. The attacks themselves began back in February of last year and are easy to trace back to the hacker group due to their distinct distribution method.

Here’s everything you need to know about these malware cluster bomb attacks along with some steps you can take to avoid falling victim to one.

Dropping a malware bomb

A hacker typing quickly on a keyboard
A hacker typing quickly on a keyboard

The initial malware used in these attacks is distributed through malicious emails or malware loaders that Unfurling Hemlock paid other hackers to use. Either way, there’s a malicious executable named “WEXTRACT.EXE” that ends up on a potential victim’s computer.

This malicious executable serves as the malware cluster bomb since it contains nested compressed cabinet files with each level containing a different malware sample or another compressed file. Once unpacked on a victim’s computer, each one drops a different malware variant.

When the final stage in the attack is reached, all of these extracted files are then executed in reverse order with the most recently extracted malware hitting the targeted device first. According to KrakenLabs’ researchers, each of these malware cluster bombs has between four and seven stages, so the amount of malware contained within them varies.

In regard to the types of malware dropped on a computer in one of Unfurling Hemlock’s attacks, there could be info-stealers, botnets and backdoors. KrakenLabs has observed the Redline stealer and many other popular malware strains in these cluster bomb-style attacks.

While KrakenLabs didn’t cover how Unfurling Hemlock is making money from these attacks, BleepingComputer believes that the group could be harvesting sensitive data using info-stealing malware and then selling this information off to other hacker groups.

How to stay safe from malware

Best antivirus software
Best antivirus software

When it comes to staying safe from malware in general and with these cluster bomb-style attacks, the most important thing you can do is to be extra careful when downloading files online. Whether it's an attachment in a phishing email or an executable from a dodgy site, you shouldn’t be downloading or opening any file from a non-trusted source.

However, hackers use all kinds of different tactics from social engineering to creating a fake sense of urgency to get you to respond to their messages or to download and open suspicious files. This is where the best antivirus software can help.

When you do download something suspicious, your antivirus will flag the file to warn you that it’s dangerous. Paid antivirus software often comes with useful extras like a VPN or a password manager but Microsoft’s built-in antivirus software should be able to stop most threats. You just need to make sure that Windows Defender is enabled on your PC which it should be as it’s turned on by default.

Hackers are always coming up with new attack methods and these malware cluster bombs are one of the most interesting ones I’ve seen in quite some time. However, if you’re careful online, avoid downloading files from unknown sources and keep your PC and the software on it up to date, you should be able to avoid ending up with a nasty malware infection.

More from Tom's Guide