A new financially motivated threat actor, tracked by FireEye Experts as UNC2529. The group targeted the organization with phishing attacks aimed at spreading at least three new sophisticated malware strains.

The three new malware families employed in the attacks are tracked as DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK.

The phishing messages include links to a malicious website that serves the malware,
“UNC2529 displayed indications of target research based on their selection of sender email addresses and subject lines which were tailored to their intended victims.”

The analysis of the malware strains involved in the attacks revealed that DOUBLEDRAG is a first-stage payload used to download additional threats. In some attacks, the threat actors used weaponized Excel documents as a downloader.

Upon executing DOUBLEDRAG, it will connect to a C&C server and fetch the PowerShell script DOUBLEDROP, a memory-only dropper that deploys the DOUBLEBACK backdoor.

DOUBLEDRAG reaches out to its C2 server and downloads a memory-only dropper. The dropper, DOUBLEDROP, is implemented as a PowerShell script that contains both 32-bit and 64-bit instances of the backdoor DOUBLEBACK.

The threat actor made extensive use of obfuscation and fileless malware to complicate detection to deliver a well coded and extensible backdoor. UNC2529 is assessed as capable, professional and well resourced.

The identified wide-ranging targets, across geography and industry suggests a financial crime motive.” concludes the report which also included indicators of compromise and other technical indicators for the attacks. Its still work in progress… Earlier stage of development