The researchers of FireEye’s cybersecurity team have recently announced that the phishing campaign, UNC2529 Hacking Group in December swept across financial, medical, communications, and other organizations around the world in two waves using custom phishing lures and spreading their three new strains of the malware that are Doubledrag, Doubledrop, and Doubleback.

UNC2529 is a well-experienced hacking group that has targeted multiple industries from multiple regions. They improved their attack types and vectors simply to make their emails real or legitimate to increase the chances of trapping targeted victims to infect their system easily.

During this campaign, the attackers targeted and attacked 50 well-known organizations across a wide range of industries globally. The security team suspected that the hacker group has created a set of malicious tools and they had all the necessary expertise and resources to carry out such a huge campaign.

During a second wave attack on December 2nd and between December 11th and 18th, 2020, the hacking party UNC2529 hacked the domain and managed to change the DNS record of that domain owned by a US heating and cooling firm. This framework was also used to conduct phishing attacks against other 22 organizations. The emails used by the attackers contained URL links that were directed to a Zip folder containing. PDF files as well as a JavaScript file. The documents, which were obtained from public sources, were purposefully tampered with in order to attract victims to double-click the.js file containing the masked “Doubledrag” loader to open them. Not only that, but some emails also contained an Excel file containing a macro that carried the same malicious payload. The launch of Doubledrag attempts to load the dropper, “Doubledrop”, which is a muddled PowerShell script used to load the backdoor “Doubleback” on the target’s infected device, which is the final component of this new malware. After gaining control, they load their plugins and then install the communication to the command-and-control (C2) servers. Mandiant experts have also identified one bootloader in the filesystem which makes it difficult to detect the malware even through antivirus software.

Aside from that, the attackers in this phishing campaign mainly attacked organizations in the United States, Europe, the Middle East, Africa, Australia, and Asia. However, the researchers are still unaware of the true motives of the hackers behind this phishing operation. Finally, they confirmed that the wide coverage across sectors and regions is regulated with the most popular goals, such as financially motivated individuals.

By – Navya Swarup

Campus Ambassador, WCSF