Three New Malware Strains seen in Phishing Campaign

It has been a busy couple of days for reports coming from security firm FireEye. Last week this publication covered the use of the FiveHands ransomware strain by a financially motivated group tracked as UNC2447. This week a new report published by the firm details an attack campaign carried out by yet another financially motivated group tracked as UNC2529. The attack campaign was discovered by researchers in December 2020 and is notable for several reasons but namely that three new malware strains were observed being used in the campaign.

The attack campaign began with a concerted email phishing campaign. FireEye researchers saw that 28 organizations were sent phishing emails. It is safe to assume that more than 28 organizations were targeted, as the 28 seen to be targeted would only likely be organizations where FireEye has a presence on their infrastructure. Emails were sent from 26 unique addresses linked to a single domain, tigertigerbeads[.]com with the emails containing inline links to malicious URLs such as hxxp://totallyhealth-wealth[.]com/downld-id_mw<redacted>Gdczs, engineered to entice the victim to download a file containing a malicious payload. While the emails were sent from one domain the links were tracked to at least 24 different domains.

If the receiver of the email visited the link in the email and proceeded to download the malicious payload they would be presented with a non-descript PDF file. This file contains a heavily obfuscated JavaScript downloader, which FireEye tracks as the first of three new malware strains and has been given the name DOUBLEDRAG.

Three New Malware Strains seen in Phishing Campaign

The PDF documents were taken from legitimate websites but corrupted by removing bytes to render them unreadable with a standard PDF viewer. Researchers believe that when the victim attempts to launch the JavaScript script, it is executed locally on the victim’s machine by using Windows Script Host. Over the course of the campaign researchers noted that DOUBLEDRAG tactics had been modified so that,

“the DOUBLEDRAG downloader observed in the first wave was replaced with a Microsoft Excel document containing an embedded legacy Excel 4.0 (XLM) macro in Excel 97-Excel 2003 Binary file format (BIFF8). When the file was opened and the macro executed successfully, it would attempt to download a second-stage payload from hxxps://towncentrehotels[.]com/ps1.dat. The core functionality of the DOUBLEDRAG JavaScript file and the BIFF8 macro is to download a file from a hardcoded URL. This Excel file was also found within Zip files, as seen in the first wave, although only one of the observed Zip files included a corresponding corrupt decoy PDF document.”

Before the second new malware strain was dropped in earnest, researchers noted,

“Prior to the second wave, observed between Dec. 11 and Dec. 18, 2020, UNC2529 hijacked a legitimate domain owned by a U.S. heating and cooling services company, modified DNS entries and leveraged that infrastructure to phish at least 22 organizations, five of which were also targeted in the first wave. It is not currently known how the legitimate domain was compromised. The threat actor used 20 newly observed domains to host the second-stage payload.”

The second wave of the attack campaign can be characterized by the downloading of the newly discovered malware strain DOUBLEDROP. This piece of malware is best described as a memory-only malware dropper. The file that DOUBLEDRAG fetches is a heavily obfuscated PowerShell script that will launch a backdoor into memory. The third stage of the campaign is characterized by the dropping and installation of the third discovered malware strain, tracked as DOUBLEBACK and operates as a backdoor to grant the attackers persistent access to the victim’s machine.

Targeted Attack Campaign

The sending out of emails was done in a highly targeted manner. Of the emails seen being sent by the attackers, the email sender address and subject lines were tailored for the specific victim. As an example, UNC2529 used a unique username, masquerading as an account executive for a small California-based electronics manufacturing company. FireEye identified the company through a simple Internet search. A victim could have done the same and then wrongly concluded that the email was sent from a legitimate source and in all likelihood not malicious. In other emails, the attackers masqueraded as the account executive from the California-based electronics company and were targeting companies in the medical, electronics, automotive, and military sectors.

Not only did the attack target a wide array of companies within varied economic sectors but was also global in scope. The US was the primary target, amounting to 74% of the attacks on victims in that country. However, the remaining victims could be traced to Europe, Asia, Australasia, the Middle East, and Africa. This was for the first wave of attack. In the second wave, the US was still the primary target at 68%, while a sharp increase in attacks on organizations in Europe, the Middle East, and Africa was seen. It is still unclear what the exact objective of the attacks was, however, researchers believe that the broad targeting across industries and geographies is consistent with targeting practices most commonly seen among financially motivated groups.

When it comes to attacking campaigns that will drop ransomware or a baking trojan as the final payload the objective is clear. In this instance, the final payload was a backdoor which will provide the attackers the ability to drop other strains of malware in the future if not remediated. If this was to be done in the future the objectives of UNC2529 will suddenly become a lot clearer.

While the objectives of the campaign are not clear, the threat posed by the campaign was highlighted by researchers. It was clear to researchers that a lot of time and effort was put into both the campaign's distribution and the malware itself. To this extent researchers noted,

“The first backdoor instance we observed back in December 2020 was a stable and well-written code, but it was clearly a work in progress. For example, the early instance of the malware spawns a thread to secure delete the DOUBLEDROP dropper from disk which indicates that an earlier variant of this malware launched a copy of the dropper from the file system. The dropper would save its current location on disk in the default registry value under the HK[LM|CU]:\Software\Classes key. The backdoor spawns a dedicated thread that retrieves the dropper’s path and then proceeds to overwrite the image on disk with 0x00, 0xFF, and a randomly generated byte before deleting the dropper from the file system.”

As to the resources used in conducting the campaign, researchers noted,

“Considerable resources were employed by UNC2529 to conduct their December phishing campaign. Almost 50 domains supported various phases of the effort, targets were researched, and a legitimate third-party domain was compromised. The threat actor made extensive use of obfuscation and fileless malware to complicate detection to deliver a well coded and extensible backdoor. UNC2529 is assessed as capable, professional and well resourced. The identified wide-ranging targets, across geography and industry suggests a financial crime motive.”

Researchers concluded that the backdoor, DOUBLEBACK, appears to be a work still in progress. This should not lead readers to believe that the group is little to no threat. Based on the resources used and the sophistication of the malware deployed UNC2529 could pose a significant risk to organizations moving forward. They have successfully proved they are capable of gaining initial access to networks and installing not one but three separate pieces of malware on victims’ machines. In the future, this could easily be leveraged to drop banking trojans as one example. Further, the attackers could steal data for a variety of other purposes to generate an income.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal