Dorblue
Essential
- Joined
- 28.09.20
- Messages
- 93
- Reaction score
- 258
- Points
- 33
The UNC2529 group attacked about 50 organizations around the world with phishing emails.
e
Criminals have organized a large-scale phishing campaign against organizations from a wide variety of industries in countries around the world using new types of malware. According to experts from the company Mandiant, the attacks affected at least 50 organizations and took place in two stages — on December 2 and from December 11 to December 18 last year.
The UNC2529 group behind this campaign used special phishing baits to infect the victims ' computers with three new malware programs.
"The attackers used obfuscation techniques and file-free malware to complicate detection and create a well-coded and extensible backdoor," the experts explained.
During the attacks, the group used phishing emails with links to a JavaScript loader (dubbed DOUBLEDRAG) or a Microsoft Excel document with a built-in macro that installed a PowerShell-based loader (DOUBLEDROP) from the attackers ' C&C server. After starting, DOUBLEDRAG accesses the C & C server and installs the bootloader in the system memory. DOUBLEDROP is implemented as a PowerShell script that contains both 32-bit and 64-bit instances of the DOUBLEBACK backdoor. The bootloader performs the initial setup and ensures the persistence of the backdoor on the compromised system.
The backdoor is embedded in the bootloader's PowerShell process and will later try to inject itself into the newly created Windows Installer process (msiexec.exe), if the Bitdefender antivirus engine is not running on the compromised computer. In the next step, the DOUBLEBACK backdoor loads the plugin and accesses the C & C server, waiting for commands.
"An interesting fact about the malware infrastructure is that only the bootloader exists in the file system. The remaining components are serialized in the registry database, which makes them somewhat difficult to detect, especially by file-based antivirus mechanisms, " the experts noted.
UNC2529 used approximately 50 domains as part of the phishing campaign. The emails were allegedly sent on behalf of company executives and targeted the medical industry, manufacturers of high-tech electronics, cars and military equipment, as well as a defense contractor. Although the main target of cybercriminals were companies in the United States, organizations from EMEA (Europe, the Middle East and Africa), Asia and Australia were also attacked.
e
Criminals have organized a large-scale phishing campaign against organizations from a wide variety of industries in countries around the world using new types of malware. According to experts from the company Mandiant, the attacks affected at least 50 organizations and took place in two stages — on December 2 and from December 11 to December 18 last year.
The UNC2529 group behind this campaign used special phishing baits to infect the victims ' computers with three new malware programs.
"The attackers used obfuscation techniques and file-free malware to complicate detection and create a well-coded and extensible backdoor," the experts explained.
During the attacks, the group used phishing emails with links to a JavaScript loader (dubbed DOUBLEDRAG) or a Microsoft Excel document with a built-in macro that installed a PowerShell-based loader (DOUBLEDROP) from the attackers ' C&C server. After starting, DOUBLEDRAG accesses the C & C server and installs the bootloader in the system memory. DOUBLEDROP is implemented as a PowerShell script that contains both 32-bit and 64-bit instances of the DOUBLEBACK backdoor. The bootloader performs the initial setup and ensures the persistence of the backdoor on the compromised system.
The backdoor is embedded in the bootloader's PowerShell process and will later try to inject itself into the newly created Windows Installer process (msiexec.exe), if the Bitdefender antivirus engine is not running on the compromised computer. In the next step, the DOUBLEBACK backdoor loads the plugin and accesses the C & C server, waiting for commands.
"An interesting fact about the malware infrastructure is that only the bootloader exists in the file system. The remaining components are serialized in the registry database, which makes them somewhat difficult to detect, especially by file-based antivirus mechanisms, " the experts noted.
UNC2529 used approximately 50 domains as part of the phishing campaign. The emails were allegedly sent on behalf of company executives and targeted the medical industry, manufacturers of high-tech electronics, cars and military equipment, as well as a defense contractor. Although the main target of cybercriminals were companies in the United States, organizations from EMEA (Europe, the Middle East and Africa), Asia and Australia were also attacked.