Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   May 20th,   2021

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Demo Free Trial MSSP