Numerous organizations across the world have been targeted in a widespread phishing campaign that used tailored phishing lures and sophisticated malware, according to a new report from FireEye’s Mandiant threat research team.

The campaign, which Mandiant tracks as UNC2529, hit at least 50 organizations from a wide variety of industries in two waves, on December 2nd and between December 11th and 18th. During the attacks the threat actor deployed three new malware strains that the researchers dubbed DOUBLEDRAG, DOUBLEDROP and DOUBLEBACK.

“Prior to the second wave, observed between Dec. 11 and Dec. 18, 2020, UNC2529 hijacked a legitimate domain owned by a U.S. heating and cooling services company, modified DNS entries and leveraged that infrastructure to phish at least 22 organizations, five of which were also targeted in the first wave. It is not currently known how the legitimate domain was compromised. The threat actor used 20 newly observed domains to host the second-stage payload,” the report reads.

The attacks involved specially-tailored phishing emails that contained a link to download a malicious payload with an obfuscated JavaScript downloader (DOUBLEDRAG). Once executed, the downloader would establish a connection to its command and control server and download DOUBLEDROP, a memory-only dropper. It is implemented as a PowerShell script that contains both 32-bit and 64-bit instances of the DOUBLEBACK backdoor. The dropper would then perform the initial setup to achieve the backdoor’s persistence on the compromised system and inject the backdoor into its own process (PowerShell.exe) and then execute it.

“The backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its C2 server and dispatching them. One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines,” the researchers explained.

UNC2529's phishing campaign targeted a variety of industries in various regions, including the US, Europe, the Middle East, Africa, Asia, and Australia, with the main focus on organizations in the financial, aerospace, and business services industries.

“Considerable resources were employed by UNC2529 to conduct their December phishing campaign. Almost 50 domains supported various phases of the effort, targets were researched, and a legitimate third-party domain was compromised. The threat actor made extensive use of obfuscation and fileless malware to complicate detection to deliver a well coded and extensible backdoor. UNC2529 is assessed as capable, professional and well resourced. The identified wide-ranging targets, across geography and industry suggests a financial crime motive,” Mandiant concluded.