New Financially Motivated UNC2529 Hacking Group Targets U.S. Organizations with 3 Malware

The cybersecurity researchers of FireEye’s cybersecurity team at Mandiant have recently proclaimed that the phishing campaign, which mopped across financial, communications, medical, and other organizations around the world in December in two waves was based on completely new strains of malware.

In this campaign, the attackers targeted and attacked 50 well-known organizations from an extensive assortment of industries globally in two waves, as we hinted earlier.

The hacking group behind this sophisticated phishing campaign has used custom phishing lures while deploying the three new strains of the malware on their targets.

Three New Malware Strains

Since the attack waves are completely based on three new strains of the malware, the cybersecurity analysts have also mentioned those three new strains of malware, and here they are mentioned below:-

• Doubledrag
• Doubledrop
• Doubleback

The team of security specialists believed that the hacking group, ‘UNC2529’ who have created this set of malicious tools, did not lack either experience or any resources to execute a campaign like this.

Downloader to Backdoor

Security analysts have claimed that this global phishing campaign involves over 50 domains. And in a successful second wave attack which took place on December 2nd and between December 11th and 18th, 2020, the hacking group, UNC2529 hacked a domain owned by a US heating and cooling company.

During this execution, they managed to change the DNS records of the domain owned by a US heating and cooling company and used this structure to launch phishing attacks against at least 22 other organizations.

The emails used by the attackers contained URL links leading to .PDF files along with a JavaScript file in a Zip archive. 

Here, the documents themselves, taken from public sources, were deliberately tampered with to entice victims to double-click the .js file containing the masked “Doubledrag” loader in an attempt to open them. 

Not only that, but even some emails also included an Excel file with a macro carrying the same malicious payload. The launch of Doubledrag attempt to load the so-called dropper, “Doubledrop.” 

The dropper, “Doubledrop” is a muddled PowerShell script that is used to load the backdoor “Doubleback” on the infected system of the target.

While the final element of the three-component is “Doubleback,” it was created in two essences at once:-

• 32-bit
• 64-bit

After gaining control, they load their plugins and then establishes the communication to the command-and-control (C2) servers.

The experts at Mandiant also marked one bootloader in the filesystem, while the rest of the components are serialized in the registry database, which makes them difficult to detect, particularly by the antivirus tools that are mainly converged on finding files.

Spear Phishing Footprints

Since we are talking about a hacking group that is well experienced, UNC2529 have refined their attack vectors. They refined their attack forms and vectors simply to make their emails genuine or legitimate to their targeted victims.

Now many of you might be thinking that ‘Why?’ The threat actors refined their attack forms and vectors to enhance their chances to tarp their victims and infect their systems.

Moreover, the hackers at UNC2529 group during their two waves of attacks have targeted multiple industries from multiple regions.

Apart from this, in this phishing campaign, the attackers have primarily targeted organizations from countries like the US, EMEA (Europe, the Middle East, and Africa), Australia, and Asia.

But, till now the researchers at Mandiant are not yet conscious of the actual intentions of the hackers behind this phishing campaign. 

However, lastly, they also affirmed that the broad coverage across industries and regions is consistent with the most common targets like financially motivated groups.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.