Saturday, April 13, 2024

New Financially Motivated UNC2529 Hacking Group Targets U.S. Organizations with 3 Malware

The cybersecurity researchers of FireEye’s cybersecurity team at Mandiant have recently proclaimed that the phishing campaign, which mopped across financial, communications, medical, and other organizations around the world in December in two waves was based on completely new strains of malware.

In this campaign, the attackers targeted and attacked 50 well-known organizations from an extensive assortment of industries globally in two waves, as we hinted earlier.

The hacking group behind this sophisticated phishing campaign has used custom phishing lures while deploying the three new strains of the malware on their targets.

Three New Malware Strains

Since the attack waves are completely based on three new strains of the malware, the cybersecurity analysts have also mentioned those three new strains of malware, and here they are mentioned below:-

  • Doubledrag
  • Doubledrop
  • Doubleback

The team of security specialists believed that the hacking group, ‘UNC2529’ who have created this set of malicious tools, did not lack either experience or any resources to execute a campaign like this.

Downloader to Backdoor

Security analysts have claimed that this global phishing campaign involves over 50 domains. And in a successful second wave attack which took place on December 2nd and between December 11th and 18th, 2020, the hacking group, UNC2529 hacked a domain owned by a US heating and cooling company.

During this execution, they managed to change the DNS records of the domain owned by a US heating and cooling company and used this structure to launch phishing attacks against at least 22 other organizations.

The emails used by the attackers contained URL links leading to .PDF files along with a JavaScript file in a Zip archive. 

Here, the documents themselves, taken from public sources, were deliberately tampered with to entice victims to double-click the .js file containing the masked “Doubledrag” loader in an attempt to open them. 

Not only that, but even some emails also included an Excel file with a macro carrying the same malicious payload. The launch of Doubledrag attempt to load the so-called dropper, “Doubledrop.” 

The dropper, “Doubledrop” is a muddled PowerShell script that is used to load the backdoor “Doubleback” on the infected system of the target.

While the final element of the three-component is “Doubleback,” it was created in two essences at once:-

  • 32-bit
  • 64-bit

After gaining control, they load their plugins and then establishes the communication to the command-and-control (C2) servers.

The experts at Mandiant also marked one bootloader in the filesystem, while the rest of the components are serialized in the registry database, which makes them difficult to detect, particularly by the antivirus tools that are mainly converged on finding files.

Spear Phishing Footprints

Since we are talking about a hacking group that is well experienced, UNC2529 have refined their attack vectors. They refined their attack forms and vectors simply to make their emails genuine or legitimate to their targeted victims.

Now many of you might be thinking that ‘Why?’ The threat actors refined their attack forms and vectors to enhance their chances to tarp their victims and infect their systems.

Moreover, the hackers at UNC2529 group during their two waves of attacks have targeted multiple industries from multiple regions.

Apart from this, in this phishing campaign, the attackers have primarily targeted organizations from countries like the US, EMEA (Europe, the Middle East, and Africa), Australia, and Asia.

But, till now the researchers at Mandiant are not yet conscious of the actual intentions of the hackers behind this phishing campaign. 

However, lastly, they also affirmed that the broad coverage across industries and regions is consistent with the most common targets like financially motivated groups.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles