Monday, October 7, 2024
HomeMalwareNew Financially Motivated UNC2529 Hacking Group Targets U.S. Organizations with 3 Malware

New Financially Motivated UNC2529 Hacking Group Targets U.S. Organizations with 3 Malware

Published on

The cybersecurity researchers of FireEye’s cybersecurity team at Mandiant have recently proclaimed that the phishing campaign, which mopped across financial, communications, medical, and other organizations around the world in December in two waves was based on completely new strains of malware.

In this campaign, the attackers targeted and attacked 50 well-known organizations from an extensive assortment of industries globally in two waves, as we hinted earlier.

The hacking group behind this sophisticated phishing campaign has used custom phishing lures while deploying the three new strains of the malware on their targets.

- Advertisement - EHA

Three New Malware Strains

Since the attack waves are completely based on three new strains of the malware, the cybersecurity analysts have also mentioned those three new strains of malware, and here they are mentioned below:-

  • Doubledrag
  • Doubledrop
  • Doubleback

The team of security specialists believed that the hacking group, ‘UNC2529’ who have created this set of malicious tools, did not lack either experience or any resources to execute a campaign like this.

Downloader to Backdoor

Security analysts have claimed that this global phishing campaign involves over 50 domains. And in a successful second wave attack which took place on December 2nd and between December 11th and 18th, 2020, the hacking group, UNC2529 hacked a domain owned by a US heating and cooling company.

During this execution, they managed to change the DNS records of the domain owned by a US heating and cooling company and used this structure to launch phishing attacks against at least 22 other organizations.

The emails used by the attackers contained URL links leading to .PDF files along with a JavaScript file in a Zip archive. 

Here, the documents themselves, taken from public sources, were deliberately tampered with to entice victims to double-click the .js file containing the masked “Doubledrag” loader in an attempt to open them. 

Not only that, but even some emails also included an Excel file with a macro carrying the same malicious payload. The launch of Doubledrag attempt to load the so-called dropper, “Doubledrop.” 

The dropper, “Doubledrop” is a muddled PowerShell script that is used to load the backdoor “Doubleback” on the infected system of the target.

While the final element of the three-component is “Doubleback,” it was created in two essences at once:-

  • 32-bit
  • 64-bit

After gaining control, they load their plugins and then establishes the communication to the command-and-control (C2) servers.

The experts at Mandiant also marked one bootloader in the filesystem, while the rest of the components are serialized in the registry database, which makes them difficult to detect, particularly by the antivirus tools that are mainly converged on finding files.

Spear Phishing Footprints

Since we are talking about a hacking group that is well experienced, UNC2529 have refined their attack vectors. They refined their attack forms and vectors simply to make their emails genuine or legitimate to their targeted victims.

Now many of you might be thinking that ‘Why?’ The threat actors refined their attack forms and vectors to enhance their chances to tarp their victims and infect their systems.

Moreover, the hackers at UNC2529 group during their two waves of attacks have targeted multiple industries from multiple regions.

Apart from this, in this phishing campaign, the attackers have primarily targeted organizations from countries like the US, EMEA (Europe, the Middle East, and Africa), Australia, and Asia.

But, till now the researchers at Mandiant are not yet conscious of the actual intentions of the hackers behind this phishing campaign. 

However, lastly, they also affirmed that the broad coverage across industries and regions is consistent with the most common targets like financially motivated groups.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant,...