Large-scale phishing campaign used three new malware

Cybercriminals have launched a massive phishing campaign against organizations from a wide range of industries in countries around the world using three new malware.

According to experts from Mandiant, the attacks affected at least 50 organizations and took place in two stages – December 2 and December 11-18 last year.

The UNC2529 group behind this campaign used special phishing lures to infect victims’ computers with three new malicious programs.

Attackers used obfuscation techniques and fileless malware to make detection more difficult and create a well-coded and extensible backdoor, — the experts explained.

During the attacks, the group used phishing emails with links to a JavaScript downloader (dubbed DOUBLEDRAG) or a Microsoft Excel document with an embedded macro that installed a PowerShell-based downloader (DOUBLEDROP) from the attackers’ C&C server.

After starting DOUBLEDRAG contacts the C&C server and installs the bootloader into the system memory. DOUBLEDROP is implemented as a PowerShell script that contains both 32-bit and 64-bit instances of the DOUBLEBACK backdoor. The bootloader performs the initial configuration and ensures the persistence of the backdoor on the compromised system.

The backdoor injects itself into the PowerShell bootloader process and will later try to inject itself into the newly created Windows Installer process (msiexec.exe), if Bitdefender antivirus engine is not running on the compromised computer. In the next step, the DOUBLEBACK backdoor loads the plugin and contacts the C&C server, waiting for commands.

An interesting fact about the malware infrastructure is that only the bootloader exists in the file system. The rest of the components are serialized in the registry database, which makes them somewhat difficult to detect, especially by file-based anti-virus mechanisms, — the experts noted.

UNC2529 used approximately 50 domains as part of a phishing campaign. The letters were sent ostensibly on behalf of company executives and targeted the medical industry, manufacturers of high-tech electronics, automobiles and military equipment, and a defense contractor.

While companies in the United States were the main targets of cybercriminals, organizations from EMEA (Europe, the Middle East and Africa), Asia and Australia were also targeted.

Let me remind you that we also said that New malware impersonates Netflix and spreads via WhatsApp.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button