A new cyber criminal gang with new malware has entered the global cyber threat landscape. The cyber criminal gang, also known as UNC2529 is targeting several organizations with a new malware called DoubleDrag, DoubleDrop, and DoubleBack.

According to the report published by ZDNet, researchers have found this new malware targeting organizations worldwide in a widespread specially tailored phishing campaign.

Take a Moment to Stay Tuned Forever

Subscribe to get weekly cyber security updates!


About the Campaign:

  • The prime target of the campaign is the US. However, organizations in the EMEA region, Asia, and Australia have also been targeted in two separate phishing waves.
  • The UNC2529 cyber criminal group used over 50 domains to deliver custom-tailored phishing campaigns, spreading DoubleDrag, DoubleDrop, and DoubleBack malware.
  • Phishing messages include links to a JavaScript-based downloader, which is identified as DoubleDrag, or a document embedded with a macro.
  • The subject line of the phishing emails was tailored based on the industry that includes medicine, transport, defense, the military, and electronics. 
  • 28 organizations were targeted in the first wave. Moreover, other 22 organizations were targeted in the second wave. These organizations were mostly from the US.

The Sequence

Steps based on the two phishing wave:

  • The First Step: The cyber criminal group sends a phishing email with malicious links to a JavaScript-based downloader, which is identified as DoubleDrag, or a document embedded with a macro.
  • The Second Step: Consequently, the malicious document embedded with a macro connects to a C2 (C&C) server and collects PowerShell-based dropper, which is identified as DoubleDrop.
  • The Third Step: This DoubleDrop dropper comes for both the version that is 32-bit and 64-bit operating system that deploys the DoubleBack backdoor. That is implemented as a Portable Executable (PE) dynamic library and injected into the PowerShell process.

Moving Forward

As of now, there is no clear indication of what the malicious actors are thinking to achieve with the phishing campaigns. However, observing their targeted industries and geo-locations indicates that the new cyber criminal group is targeting organizations with the new malware with financial intentions. Moreover, it also shows that this new malware is not going anywhere soon and will be targeting more industries and nations in the future.

Turn Your Employees Into A Cyber Threat Shield

Make your employees proactive against prevailing cyber attacks with ThreatCop!

Leave a comment

Your email address will not be published. Required fields are marked *