Researchers at FireEye have identified three new malware families that are targeting the finance industry in new phishing campaigns. The families have been dubbed Doubledrag, Doubledrop, and Doubleback. The malware was identified in December 2020 and appears to be the work of experienced threat actors being tracked by FireEye as UNC2529. The malware has targeted organizations in the US, EMEA region, Asia, and Australia. Phishing emails sent to victims were targeted specifically to each company, with subjects and bodies that were rarely the same ones sent to different organizations. Over 50 domains were used by the threat actors to send out phishing emails. The emails contained URLs leading to malicious .PDF payloads and accompanied a JavaScript file that contained a .ZIP archive. The documents were corrupted to render an “unreadable error” with the thought that the victim would become annoyed that they couldn’t view the document and they would double click the JavaScript file to download the payload. The .js file was heavily obfuscated and contained the Doubledrag downloader. Once executed, Doubledrag attempts to execute a dropper as the second stage of the attack. Doubledrop is an obfuscated PowerShell script designed to establish a foothold into an infected machine by loading a backdoor into memory. The backdoor is the final malware component and is called Doubleback, which was created in both 32-bit and 64-bit versions. According to Mandiant researchers, “the backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its [command-and-control] C2 server and dispatching them.” Only the downloader exists in the file system, the rest of the components are serialized in the registry database, which makes detection harder.