The three new malware strains identified by Mandiant

On Tuesday cybersecurity team said the malware strains, dubbed Doubledrag, Doubledrop, and Doubleback, were detected in December 2020. The threat actors behind the malware, described as “experienced and well-resourced,” are being tracked as UNC2529. 

The US was the primary target for attacks in both waves, while EMEA and Asia and Australia shared equal suffering in the first wave. Mandiant tracks the threat actor as UNC2529 and says that these guys are pros. Given the “considerable” infrastructure they have at their disposal, their carefully crafted phishing lures, and what the researchers called the “professionally coded sophistication” of the malware, the team says that the UNC2529 attackers seem “experienced and well-resourced.”

The three new malware strains identified by Mandiant have been named “Doubledrag,” “Doubledrop” and “Doubleback.” UNC2529 apparently deployed heavy obfuscation and fileless malware techniques to keep them hidden.

Doubledrag is a heavily obfuscated JavaScript downloader. Doubledrop is a second-stage memory-only dropper containing a heavily obfuscated PowerShell script that launches a backdoor into memory. This backdoor is Doubleback. This dropper, Doubledrop, is an obfuscated PowerShell script designed to establish a foothold into an infected machine by loading a backdoor into memory. 

The campaign itself targeted mainly US organizations — accounting for 74% of victims in the first phase and 68% in the second — but a number of targets in EMEA and APAC were also on the hit list.

Unfortunately, Doubleback was judged by Mandiant to be a “work in progress” and one likely to be used again in future campaigns by UNC2529.

“Almost 50 domains supported various phases of the effort, targets were researched, and a legitimate third-party domain was compromised,” the security firm concluded.

The threat actors also worked hard to obfuscate the malware components. One tactic was the use of fileless malware, which runs in memory after initial infection, instead of storing files on the hard drive. According to analysis of telemetry data from Cisco, fileless malware was the most common critical-severity cybersecurity threat to endpoints during the first half of 2020. This use of fileless malware helped to flummox detection so that the threat actors could deliver what Mandiant called “a well coded and extensible backdoor.”