Thursday, March 28, 2024

New Financially Motivated UNC2529 Hacking Group Targets U.S. Organizations with 3 Malware

The cybersecurity researchers of FireEye’s cybersecurity team at Mandiant have recently proclaimed that the phishing campaign, which mopped across financial, communications, medical, and other organizations around the world in December in two waves was based on completely new strains of malware.

In this campaign, the attackers targeted and attacked 50 well-known organizations from an extensive assortment of industries globally in two waves, as we hinted earlier.

The hacking group behind this sophisticated phishing campaign has used custom phishing lures while deploying the three new strains of the malware on their targets.

Three New Malware Strains

Since the attack waves are completely based on three new strains of the malware, the cybersecurity analysts have also mentioned those three new strains of malware, and here they are mentioned below:-

  • Doubledrag
  • Doubledrop
  • Doubleback

The team of security specialists believed that the hacking group, ‘UNC2529’ who have created this set of malicious tools, did not lack either experience or any resources to execute a campaign like this.

Downloader to Backdoor

Security analysts have claimed that this global phishing campaign involves over 50 domains. And in a successful second wave attack which took place on December 2nd and between December 11th and 18th, 2020, the hacking group, UNC2529 hacked a domain owned by a US heating and cooling company.

During this execution, they managed to change the DNS records of the domain owned by a US heating and cooling company and used this structure to launch phishing attacks against at least 22 other organizations.

The emails used by the attackers contained URL links leading to .PDF files along with a JavaScript file in a Zip archive. 

Here, the documents themselves, taken from public sources, were deliberately tampered with to entice victims to double-click the .js file containing the masked “Doubledrag” loader in an attempt to open them. 

Not only that, but even some emails also included an Excel file with a macro carrying the same malicious payload. The launch of Doubledrag attempt to load the so-called dropper, “Doubledrop.” 

The dropper, “Doubledrop” is a muddled PowerShell script that is used to load the backdoor “Doubleback” on the infected system of the target.

While the final element of the three-component is “Doubleback,” it was created in two essences at once:-

  • 32-bit
  • 64-bit

After gaining control, they load their plugins and then establishes the communication to the command-and-control (C2) servers.

The experts at Mandiant also marked one bootloader in the filesystem, while the rest of the components are serialized in the registry database, which makes them difficult to detect, particularly by the antivirus tools that are mainly converged on finding files.

Spear Phishing Footprints

Since we are talking about a hacking group that is well experienced, UNC2529 have refined their attack vectors. They refined their attack forms and vectors simply to make their emails genuine or legitimate to their targeted victims.

Now many of you might be thinking that ‘Why?’ The threat actors refined their attack forms and vectors to enhance their chances to tarp their victims and infect their systems.

Moreover, the hackers at UNC2529 group during their two waves of attacks have targeted multiple industries from multiple regions.

Apart from this, in this phishing campaign, the attackers have primarily targeted organizations from countries like the US, EMEA (Europe, the Middle East, and Africa), Australia, and Asia.

But, till now the researchers at Mandiant are not yet conscious of the actual intentions of the hackers behind this phishing campaign. 

However, lastly, they also affirmed that the broad coverage across industries and regions is consistent with the most common targets like financially motivated groups.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles