Researchers have found three new malware families used in a widespread phishing campaign rooted in financial crime. On Tuesday, FireEye’s Mandiant cybersecurity team said the malware strains, dubbed Doubledrag, Doubledrop, and Doubleback, are known to have been detected in December 2020.
What Mandiant called the “trifecta” spear-phishing campaign twice affected a wide swath of industries around the world: first on December 2, 2020, with a second wave launched between December 11 and December 18. 2020. The United States was the main target of the attacks in both waves, while EMEA and Asia and Australia shared the same suffering in the first wave.
Before the second wave, observed between December 11 and December 18, 2020, a C2529 name given to the authors of this threat, hijacked a legitimate domain owned by an American company of heating and cooling services, modified the DNS entries and it took advantage of that infrastructure to impersonate at least 22 organizations, five of which were also targeted in the first wave. It is currently unknown how the legitimate domain was compromised. The threat actor used 20 newly observed domains to host the second stage payload.
The attacks involved specially tailored phishing emails that contained a link to download a malicious payload with an obfuscated JavaScript downloader (DOUBLEDRAG). Once run, the downloader would establish a connection to your command and control server and dump DOUBLEDROP, a memory-only eyedropper. It is implemented as a PowerShell script containing 32-bit and 64-bit instances of the DOUBLEBACK backdoor. The eyedropper would then go through the initial configuration to achieve backdoor persistence on the compromised system and insert the backdoor into its own process (PowerShell.exe) and then run it.
There are some indicators that the malware is still in progress, as the existing functionality will look for the existence of antivirus products, such as those offered by Kaspersky and BitDefender, but even if it is detected, no action is taken, so for the meantime only What we can do is wait and not fall for false emails that may violate our security.
See also:
Spear Phishing attempt of data theft
What types of Phishing can we find?
