A global phishing program used never-before-seen malware strains distributed by specially-tailored lures to attack global organizations across a broad range of industries. According to a Mandiant report released today, the attacks targeted at least 50 organizations from a diverse range of sectors in two waves, on December 2nd and between December 11th and 18th.
UNC2529 is the name of the threat actors behind the malware, who are identified as "experienced and well-resourced." Organizations in the United States, the EMEA zone, Asia, and Australia have been attacked in two waves so far.
Threat actors would also pose as account executives touting services suitable for various industries, such as security, medication, transportation, the military, and electronics, in phishing messages sent to prospective victims.
The global phishing scheme was controlled by over 50 domains in total. UNC2529 hacked a domain owned by a US heating and cooling services company, tampered with its DNS data, and used this structure to conduct phishing attacks against at least 22 entities in one successful attack. The lure emails included links to URLs that led to malicious.PDF payloads and a JavaScript file stored in a.zip folder. The records, which were obtained from public databases, were compromised to the point that they were unreadable, prompting victims to double-click the.js file in an effort to read the content.
"The threat actor made extensive use of obfuscation and file-less malware to complicate detection to deliver a well-coded and extensible backdoor," Mandiant said.
The threat group used phishing emails with links to a JavaScript-based downloader (labeled DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (labeled DOUBLEDROP) from attackers' command-and-control (C2) servers during the two waves of attacks. The DOUBLEDROP dropper includes 32-bit and 64-bit versions of the DOUBLEBACK backdoor, which is implemented as a PE dynamic library.
"The backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its [command-and-control] C2 server and dispatching them," Mandiant notes. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines."
