A global phishing attack was discovered in December 2020: the method was

Mandiant, a research organization of Fireeye, has found that a global phishing attack using never-before-seen malware was conducted on at least 50 companies on two separate dates: December 2, 2020 and December 11-18, 2020.

Mandiant researchers are tracking UNC2529, the “unclassified” threat group behind this attack, and have discovered that it is using its own phishing lure to deploy three new types of malware on target computers

Using downloaders and backdoors

The malware used by threat group UNC2529 attempts to evade malware detection by deploying a highly obfuscated and malicious program (payload) in-memory.

Mandiant states that “the attack methodology makes heavy use of obfuscation and fileless malware to make detection difficult, and uses extensible backdoors.

During two attack periods, the threat group used a JavaScript-based downloader (called DOUBLEDRAG) or a phishing email containing a link to an Excel document with embedded macros to download an in-memory PowerShell-based dropper (called DOUBLEDROP) from the attacker’s command and control (C2) server. The in-memory PowerShell-based dropper (called DOUBLEDROP) was downloaded from the attacker’s command and control (C2) server.

What is a downloader/dropper? What is the difference?

The DOUBLEDROP dropper bundles 32 and 64 bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library.

This backdoor is injected into the PowerShell process spawned by the dropper

In the next step, the DOUBLEBACK backdoor loads the plugin and accesses the C2 server to get the commands to be executed by the infected device.

This attack means that only the downloader is present in the file system. The rest of the components are serialized in a registry database, which makes them somewhat difficult to detect, especially by file-based anti-virus engines.

Phishing email techniques

It is known that the threat group UNC2529 used a considerable amount of infrastructure to carry out its attacks, using about 50 domains to deliver phishing emails.

UNC2529 also spent a great deal of time tailoring their attacks to the target victim so that their emails would appear to be from the user’s business partners and customers.

They claimed that this increased the likelihood that users would open the trapped emails and be infected.

According to Mandiant, “We have identified seven phishing emails that impersonate executives and target the medical industry, high-tech electronics, automotive and military equipment manufacturers, and clear defense contractors with subject lines about the products of a California-based electronics manufacturing company.”

While the threat group’s primary target was the United States, organizations in EMEA (Europe, Middle East, and Africa), Asia, and Australia were also targeted, and the broad targeting across industries and geographies is consistent with behavior often seen in groups with a financial motive

The scope and targets of the two phishing attacks are shown in the figure below, with 74% of the damage occurring in the US, while 13% occurred in Asia, which includes Japan.

“The DOUBLEBACK attack appears to be ongoing, and Mandiant anticipates that UNC2529 will take further action to endanger victims in all industries around the world,” they conclude.

Indicators of unauthorized access, such as malware hash values and domains used to deliver phishing emails, can be found at the end of the Mandiant report.