A new financially motivated threat actor, tracked by FireEye Experts as UNC2529, has targeted many organizations in the United States and other countries using several new pieces of malware.
The group targeted the organization with phishing attacks aimed at spreading at least three new sophisticated malware strains. The attackers, who appear experienced and well resourced, employed custom lures and showed a professionally coding of their malware.
FireEye’s Mandiant unit observed two distinct waves of attacks carried out by the cybercrime group in December 2020.
The three new malware families employed in the attacks are tracked as DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK.
The first wave of attacks aimed at 28 organizations, while at least other 22 entities were hit in the second wave, most of them in the US. The phishing messages include links to a malicious website that serves the malware, experts pointed out that the emails had subject lines that were customized for each targeted organization.
“UNC2529 displayed indications of target research based on their selection of sender email addresses and subject lines which were tailored to their intended victims.” states the analysis published by FireEye. “For example, UNC2529 used a unique username, masquerading as an account executive for a small California-based electronics manufacturing company, which Mandiant identified through a simple Internet search.”
At the time of the report, although Mandiant has no evidence about the purposes of the attacks, the broad targeting across multiple industries and the choosing of targets of a global scale, suggests that the attackers could be financially motivated.
The groups targeted organizations in the business services, financial, health, retail/consumer, aero-military, engineering and manufacturing, government, education, transportation, and utilities industries.
The analysis of the malware strains involved in the attacks revealed that DOUBLEDRAG is a first-stage payload used to download additional threats. In some attacks, the threat actors used weaponized Excel documents as a downloader.
Upon executing DOUBLEDRAG, it will connect to a C&C server and fetch the PowerShell script DOUBLEDROP, a memory-only dropper that deploys the DOUBLEBACK backdoor.
“Once executed, DOUBLEDRAG reaches out to its C2 server and downloads a memory-only dropper. The dropper, DOUBLEDROP, is implemented as a PowerShell script that contains both 32-bit and 64-bit instances of the backdoor DOUBLEBACK.” continues the report.
Experts pointed out that attackers made extensive use of obfuscation and fileless malware to evade the detection. The backdoor employed in the attack is very sophisticated and it is designed to extend its capabilities.
“The threat actor made extensive use of obfuscation and fileless malware to complicate detection to deliver a well coded and extensible backdoor. UNC2529 is assessed as capable, professional and well resourced. The identified wide-ranging targets, across geography and industry suggests a financial crime motive.” concludes the report which also included indicators of compromise and other technical indicators for the attacks.
“DOUBLEBACK appears to be an ongoing work in progress and Mandiant anticipates further actions by UNC2529 to compromise victims across all industries worldwide.”
(SecurityAffairs – hacking, UNC2529)