Cyber Crime

UNC2529, a new sophisticated cybercrime gang that targets U.S. orgs with 3 malware

A new cybercrime gang, tracked as UNC2529, has targeted many organizations in the US and other countries using new sophisticated malware.

A new financially motivated threat actor, tracked by FireEye Experts as UNC2529, has targeted many organizations in the United States and other countries using several new pieces of malware.

The group targeted the organization with phishing attacks aimed at spreading at least three new sophisticated malware strains. The attackers, who appear experienced and well resourced, employed custom lures and showed a professionally coding of their malware.

FireEye’s Mandiant unit observed two distinct waves of attacks carried out by the cybercrime group in December 2020.

The three new malware families employed in the attacks are tracked as DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK.

The first wave of attacks aimed at 28 organizations, while at least other 22 entities were hit in the second wave, most of them in the US. The phishing messages include links to a malicious website that serves the malware, experts pointed out that the emails had subject lines that were customized for each targeted organization.

“UNC2529 displayed indications of target research based on their selection of sender email addresses and subject lines which were tailored to their intended victims.” states the analysis published by FireEye. “For example, UNC2529 used a unique username, masquerading as an account executive for a small California-based electronics manufacturing company, which Mandiant identified through a simple Internet search.”

At the time of the report, although Mandiant has no evidence about the purposes of the attacks, the broad targeting across multiple industries and the choosing of targets of a global scale, suggests that the attackers could be financially motivated.

The groups targeted organizations in the business services, financial, health, retail/consumer, aero-military, engineering and manufacturing, government, education, transportation, and utilities industries.

The analysis of the malware strains involved in the attacks revealed that DOUBLEDRAG is a first-stage payload used to download additional threats. In some attacks, the threat actors used weaponized Excel documents as a downloader.

Upon executing DOUBLEDRAG, it will connect to a C&C server and fetch the PowerShell script DOUBLEDROP, a memory-only dropper that deploys the DOUBLEBACK backdoor.

“Once executed, DOUBLEDRAG reaches out to its C2 server and downloads a memory-only dropper. The dropper, DOUBLEDROP, is implemented as a PowerShell script that contains both 32-bit and 64-bit instances of the backdoor DOUBLEBACK.” continues the report.

Experts pointed out that attackers made extensive use of obfuscation and fileless malware to evade the detection. The backdoor employed in the attack is very sophisticated and it is designed to extend its capabilities.

“The threat actor made extensive use of obfuscation and fileless malware to complicate detection to deliver a well coded and extensible backdoor. UNC2529 is assessed as capable, professional and well resourced. The identified wide-ranging targets, across geography and industry suggests a financial crime motive.” concludes the report which also included indicators of compromise and other technical indicators for the attacks.

“DOUBLEBACK appears to be an ongoing work in progress and Mandiant anticipates further actions by UNC2529 to compromise victims across all industries worldwide.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, UNC2529)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Threat actor attempts to sell 30 million customer records allegedly stolen from TEG

A threat actor is offering for sale customer data allegedly stolen from the Australia-based live…

4 hours ago

Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

17 hours ago

Threat actors are actively exploiting SolarWinds Serv-U bug CVE-2024-28995

Threat actors are actively exploiting a recently discovered vulnerability in SolarWinds Serv-U software using publicly…

17 hours ago

US government sanctions twelve Kaspersky Lab executives

The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned twelve Kaspersky Lab executives for their…

1 day ago

Experts found a bug in the Linux version of RansomHub ransomware

The RansomHub ransomware operators added a Linux encryptor to their arsenal, the version targets VMware…

2 days ago

UEFICANHAZBUFFEROVERFLOW flaw in Phoenix SecureCore UEFI firmware potentially impacts hundreds of PC and server models

A serious vulnerability (CVE-2024-0762) in the Phoenix SecureCore UEFI firmware potentially impacts hundreds of PC…

3 days ago

This website uses cookies.