Posted on May 5, 2021 at 10:40 AM
Over 50 Organizations Targeted In Two New Waves Of Malware Attacks
A recent report has revealed that global-scale phishing is targeting organizations across a wide range of industries with new malware strains.
The threat actors involved in this phishing campaign are delivering the malware strains through specially-tailored lures, the report reveals.
The attack has come in two waves, hitting about 50 organizations on December 2 and December 11 last year.
Threat actors carried two separate waves on attacks
The threat actors responsible for the wide spate of attacks have been identified as UNC2529. They utilize highly obfuscated techniques to prevent being spotted. They also deploy payload in-memory whenever possible to evade detection.
FireEye’s Mandiant security team stated that the threat group utilized phishing emails throughout the two waves of attacks.
The phishing emails were linked to an Excel document or sometimes a Javascript-based downloader that downloaded an in-memory Powershell-based dropper from the threat actors’ command and control (C2) servers.
The backdoor is planted into the PowerShell process in the first stage. The second stage sees a plugin being loaded by the Doubleback backdoor and extends to the C2 server to receive commands and execute on the targeted device.
Mandiant stated that the whole scenario shows that only the downloader is available in the system, with the other components kept in a registry database. This makes it a bit more difficult to detect the malware, particularly the file-based antivirus engines.
Malware attacks carried out by sophisticated actors
The researchers say the three new malware families – Doubleback, Doubledrop, and Doubledrag – are the works of sophisticated threat actors.
The two separate waves of attacks have targeted organizations in the US, Australia, Asia, and the EMEA region, according to the report.
Another interesting fact about the attack is the fact that phishing messages sent to potential victims did not use the same subject lines and email addresses. They were specifically directed to certain targets to get maximum results from their targets’ responses.
In some instances, the threat actors act like account executives in different industries, including electronics, the military, transport, medicine, and defense. The threat actors tailor the phishing emails according to the industry they are targeting.
Over 50 different domains used for the attacks
According to the report, the hackers used more than 50 domains to manage the fishing scheme. In one of its successful attacks, UNC2529 successfully hacked a domain owned and operated by a heating and cooling business service in the US. The threat actors altered their DNS record and utilized its structure to carry out phishing attacks on no less than 22 organizations.
The phishing emails contain links to URLs with malicious .PDF payloads. It also contains a JavaScript file with a .zip archive, which has been corrupted to make it unreadable by users.
Mandiant also revealed that the hackers also send a .js file that is highly obfuscated, and contained the Doubledrg downloader. In other malicious campaigns, the threat actors embedded macro in an excel document to deliver the same payload.
Once Doubledrag is executed, it goes on to download a dropper for the second attack chain
The Doubledrop is designed to gain a foothold on an infected machine by loading a backdoor to the memory, as the researchers have observed.
The third malware may still be in progress
The Doubleback malware is the third malware component that was created to have both 64-bit and 32-bit versions.
Mandiant says there are some reasons to believe that the malware is still in progress and not the finished product yet. The functionality scans for the presence of antivirus products –such as those produced by BitDefender and Kaspersky – but even when any of these is found, it doesn’t take any action.
While Mandiant is not clear about the main goal of the threat actors, they have been largely seen targeting large organizations within their financial division, based on the potency of the malware and whether they have been deployed.