Trifecta of Sophisticated Malware Distributed in Spear Phishing Campaign

Three new sophisticated malware variants are being distributed by an Advanced Persistent Threat (APT) group in a large-scale global phishing campaign, according to a new report from FireEye’s Mandiant cybersecurity team.

The new malware variants – dubbed DoubleDrag, DoubleDrop, and DoubleBack – are being distributed using 50 domains and one legitimate compromised domain of an HVAC company. Based on the infrastructure used, the tailored nature of the spear phishing emails, and professionally coded sophistication, the APT group appears to be very experienced and well resourced. So far, the majority of attacked organizations have been in the United States, with limited targets in the EMEA and APAC regions.

Mandiant researchers identified the first wave of the phishing campaign on December 2, 2020, with a subsequent wave detected between December 11 and December 18, 2020. The first wave targeted at least 28 organizations, with the emails sent from 26 email addresses on the domain. In total, approximately 50 organizations are known to have been targeted, although it is likely that others have also been attacked.

Mandiant researchers have attributed the attacks to a threat group known as UNC2529. The APT group has taken care when crafting the emails to target individuals and companies to maximize the probability of a response and the installation of the first stage payload. This is delivered as a ZIP compressed file that includes a corrupt decoy PDF file and a heavily obfuscated JavaScript downloader – DoubleDrag. The PDF files distributed in the ZIP file are legitimate PDF files obtained from public sources that have been purposely corrupted by removing bytes to render them unreadable using standard PDF viewers.

DoubleDrop is used in the second stage of the attack and is a memory-only dropper that delivers a heavily obfuscated PowerShell script, which launches a backdoor in the memory named DoubleBack. DoubleBack is thought to be under active development and a work in progress, although it is still a well-coded and extensible backdoor according to the researchers and has a 32-bit and 64-bit version. The backdoor inserts plugins and reports back to its C2 and receives and acts on commands from the C2.

“One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines,” explained Mandiant.

The phishing emails have been sent to a broad range of companies, which have mostly been in business services, the financial sector, healthcare, and retail/consumer products in the United States.  In EMEA, the targets were in aeromil, engineering/manufacturing, health, and the telecoms sectors, and in the APAC region targeted companies were in finance, energy, and retail/consumer products. The diverse geographical spread and the wide range of industries targeted suggests the APT group is financially motivated.

The easiest way to avoid falling victim to attacks involving these malware variants is to ensure to implement an email security gateway, not to click hyperlinks in unsolicited emails, and not to execute email file attachments.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of