Skip to main content

Several entirely new malware strains have been spotted

Unbreakable Lock
(Image credit: KAUST)

Cybersecurity experts have sounded the alarm over a global phishing campaign that has already targeted several organizations around the world using previously-unseen malware.

Researchers at security firm Mandiant have published a detailed analysis of the campaign, noting that at least fifty organizations were targeted in two separate waves in December 2020.

Of note is the fact that the attacks deployed three completely new malware strains into their victim’s computers with the help of tailored phishing lures.

TechRadar needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

“Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded sophistication of the malware, this threat actor appears experienced and well resourced,” say the researchers.

Financially motivated

The researchers believe the threat actors behind the campaign employed considerable infrastructure to conduct the  attacks, including the use of the about fifty domains to deliver the custom phishing emails.

It appears that while the campaign was global, a majority of the targets in both waves were in the US, though it also attacked organizations in EMEA (Europe, the Middle East, and Africa), Asia, and Australia regions.

The researchers note that the threat actors also invested time to tailor their attacks to make their phishing emails look as genuine messages from professionals their targets correspond with.

The phishing emails either contained links to a JavaScript downloader, named DOUBLEDRAG, or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper, named DOUBLEDROP. The dropper bundles 32 and 64-bit variants of a backdoor, dubbed DOUBLEBACK.

Mandiant also notes that the malware used in the campaign not only attempts to evade detection by deploying its payload in-memory whenever possible, it is also heavily obfuscated to hinder analysis. 

“Although Mandiant has no evidence about the objectives of this threat actor, their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups,” conclude the researchers.

Via BleepingComputer