Security researchers have uncovered a sophisticated global phishing campaign featuring three new malware families, which landed back in December last year.
Mandiant observed two waves of the campaign, beginning December 2, targeting nearly 50 organizations around the world. It tracked the financially motivated threat group as UNC2529.
“Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded sophistication of the malware, this threat actor appears experienced and well resourced,” the security vendor noted.
The group appears to have taken time to craft its emails so they appeared legitimate to individual recipients, and used scores of domains to support its efforts.
The three new malware strains identified by Mandiant have been named "Doubledrag," "Doubledrop" and "Doubleback." UNC2529 apparently deployed heavy obfuscation and fileless malware techniques to keep them hidden.
Doubledrag is a heavily obfuscated JavaScript downloader. Doubledrop is a second-stage memory-only dropper containing a heavily obfuscated PowerShell script that launches a backdoor into memory. This backdoor is Doubleback.
The campaign itself targeted mainly US organizations — accounting for 74% of victims in the first phase and 68% in the second — but a number of targets in EMEA and APAC were also on the hit list.
Unfortunately, Doubleback was judged by Mandiant to be a “work in progress” and one likely to be used again in future campaigns by UNC2529.
“Almost 50 domains supported various phases of the effort, targets were researched, and a legitimate third-party domain was compromised,” the security firm concluded.
“The threat actor made extensive use of obfuscation and fileless malware to complicate detection to deliver a well-coded and extensible backdoor. UNC2529 is assessed as capable, professional and well-resourced. The identified wide-ranging targets, across geography and industry suggests a financial crime motive.”