Researchers at FireEye have identified three new malware families that are targeting the finance industry in new phishing campaigns. The families have been dubbed Doubledrag, Doubledrop, and Doubleback. The malware was identified in December 2020 and appears to be the work of experienced threat actors being tracked by FireEye as UNC2529. The malware has targeted organizations in the US, EMEA region, Asia, and Australia. Phishing emails sent to victims were targeted specifically to each company, with subjects and bodies that were rarely the same ones sent to different organizations. Over 50 domains were used by the threat actors to send out phishing emails. The emails contained URLs leading to malicious .PDF payloads and accompanied a JavaScript file that contained a .ZIP archive. The documents were corrupted to render an “unreadable error” with the thought that the victim would become annoyed that they couldn’t view the document and they would double click the JavaScript file to download the payload. The .js file was heavily obfuscated and contained the Doubledrag downloader. Once executed, Doubledrag attempts to execute a dropper as the second stage of the attack. Doubledrop is an obfuscated PowerShell script designed to establish a foothold into an infected machine by loading a backdoor into memory. The backdoor is the final malware component and is called Doubleback, which was created in both 32-bit and 64-bit versions. According to Mandiant researchers, “the backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its [command-and-control] C2 server and dispatching them.” Only the downloader exists in the file system, the rest of the components are serialized in the registry database, which makes detection harder.
Analyst Notes
There are some indicators that the malware is still being used to infect companies across multiple industries and geographies. At the time of writing, no evidence points to the objectives of the group, though researchers state the attacks appear to be financially motivated. Companies should have a good defense plan in place to protect themselves from phishing attacks and malware. This should include training or employees on how to identify a phishing email and have monitoring in place. Binary Defense Managed Detection and Response is an effective service to monitor for any abnormal behavior happening across endpoints and stop attacks quickly. Although this threat group takes care not to leave many files that could be detected by anti-virus products, the Security Operations Task Force at Binary Defense would have no trouble spotting the malicious behaviors and putting a quick stop to the intrusion.
More can be read here: https://www.zdnet.com/article/researchers-find-three-new-malware-families-used-in-global-finance-phishing-campaign/
https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html
