The three unseen malware strains
Three new strains of malware that have never been seen before have recently been reported by security researchers. Named Doubledrag, Doubledrop, and Doubleback, the strains stand up with sophisticated code and a very powerful web of nearly 50 domains that distribute them.
As per the available reports, a number of industries worldwide have been hit by the three new strains through spear-phishing campaigns that took place in December 2020. The United States was the main target of the attacks, followed by EMEA, Asia, and Australia.
The threat actors that stand behind the never-seen malware strains are known under the name of UNC2529, an APT that seems to operate with a lot of sophistication and resources.
According to researchers, the UNC 2529 attackers seem “experienced” taking into account the carefully designed lures they are using in the spear-phishing campaigns and the web of domains under their control. Another trait that is significant is that the UNC2529 gang investigates well its targets and adapts its phishing email subject lines to the targeted victims.
A three-stage attack
The malware distributed by UNC2529 follows a carefully crafted three-stage attack plan. Typically, the victim is first compromised by a Doubledrag downloader or an Excel document that contains embedded macro, next a Doubledrop dropper enters the system and finally a Doubleback backdoor establishes a connection with the threat actors.
The infection begins with a phishing email that is carefully crafted to look legitimate. Victims are prompted to click on a link that automatically downloads a malicious payload containing a JavaScript downloader (Doubledrag). In the next stage, the Doubledrag downloader tries to download a Doubledrop dropper – a well-camouflaged PowerShell script that is built to insert a Doubleback backdoor in the memory. With all that set up in place, the backdoor starts to install plugins in the compromised system and sends reports to the malicious actors who are in control.
Interestingly, just the downloader remains in the file system. All other components are serialized in the registry, making it more difficult to identify them, especially with the help of file-based antivirus programs.
Another tactic that the UNC2529 gang uses is the so-called fileless malware that isn’t stored on the hard drive but runs in memory instead, which is a great way to obfuscate the malware components.
Researchers suggest that the reason behind the sophisticated spear-phishing attack with these three new strains is most likely financial fraud. And since the malware appears to be “an ongoing work in process”, it is expected that the UNC2529 gang will keep compromising victims of different industries all over the world.
Leave a Comment