Cybercriminals have launched a massive phishing campaign against organizations from a wide range of industries in countries around the world using three new malware.
According to experts from Mandiant, the attacks affected at least 50 organizations and took place in two stages – December 2 and December 11-18 last year.
The UNC2529 group behind this campaign used special phishing lures to infect victims’ computers with three new malicious programs.
Attackers used obfuscation techniques and fileless malware to make detection more difficult and create a well-coded and extensible backdoor, — the experts explained.
During the attacks, the group used phishing emails with links to a JavaScript downloader (dubbed DOUBLEDRAG) or a Microsoft Excel document with an embedded macro that installed a PowerShell-based downloader (DOUBLEDROP) from the attackers’ C&C server.
After starting DOUBLEDRAG contacts the C&C server and installs the bootloader into the system memory. DOUBLEDROP is implemented as a PowerShell script that contains both 32-bit and 64-bit instances of the DOUBLEBACK backdoor. The bootloader performs the initial configuration and ensures the persistence of the backdoor on the compromised system.
The backdoor injects itself into the PowerShell bootloader process and will later try to inject itself into the newly created Windows Installer process (msiexec.exe), if Bitdefender antivirus engine is not running on the compromised computer. In the next step, the DOUBLEBACK backdoor loads the plugin and contacts the C&C server, waiting for commands.
An interesting fact about the malware infrastructure is that only the bootloader exists in the file system. The rest of the components are serialized in the registry database, which makes them somewhat difficult to detect, especially by file-based anti-virus mechanisms, — the experts noted.
UNC2529 used approximately 50 domains as part of a phishing campaign. The letters were sent ostensibly on behalf of company executives and targeted the medical industry, manufacturers of high-tech electronics, automobiles and military equipment, and a defense contractor.
While companies in the United States were the main targets of cybercriminals, organizations from EMEA (Europe, the Middle East and Africa), Asia and Australia were also targeted.
Let me remind you that we also said that New malware impersonates Netflix and spreads via WhatsApp.
