On Tuesday, FireEye’s Mandiant cybersecurity team reported they detected three new malware strains – Doubledrag, Doubledrop, and Doubleback. They detected the new malware in December 2020.
Mandiant believes the threat actors behind the malware are “experienced and well-resourced.” They are being tracked as UNC2529.
Mediant has observed two separate waves in which the threat actor targeted organizations in the US, EMEA region, Asia, and Australia.
Cybercriminals sent to potential victims phishing messages, in most cases sent from different email addresses and under different subject lines to better tailor them to the targets. In many cases, threat actors would pose as account executives from companies in various industries, including defense, medicine, transport, the military, and electronics.
The global phishing scheme involved over 50 domains. In one successful attack, UNC2529 took over a domain owned by a US heating and cooling services business, changed its DNS records, and used it as a launchpad for phishing attacks on at least 22 targets.
Threat actors used a well-devised, multi-step attack chain. URLs in emails lead to a .PDF payload and .zip archive containing a JavaScript file. The documents were purposely corrupted to render to entice victims to double-click the .js file in an attempt to read the content. The .js file was heavily obfuscated and contained the Doubledrag downloader. Attackers also used Excel documents with an embedded macro to deliver the same payload. Doubledrag downloaded a dropper that was an obfuscated PowerShell script used to establish a foothold into an infected machine with help of a backdoor. This backdoor, Doubleback, was the final malware component that had both 32-bit and 64-bit versions.
“The backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its [command-and-control] C2 server and dispatching them,” Mandiant notes.
The whole attack chain was well obfuscated to avoid detection:
“One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines.”
The aim of the threat actor is not understood at this point and the analysis of the new malware strains is ongoing.
“Although Mandiant has no evidence about the objectives of this threat actor, their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups,” the researchers concluded.