Researchers have found three new malware families, Doubledrag, Doubledrop, and Doubleback detected in December 2020 and tracked as UNC2529. These malware strains used in an ongoing phishing campaign throughout the financial industry are being tracked as UNC2529. Organizations in the US, EMEA region, Asia, and Australia have been targeted by the sophisticated cybercriminals
Key Elements to be aware of in the UNC2529 phishing campaign:
- Malicious emails contained highly personalized messages.
- Over 50 domains were similar to CEO Fraud attacks, used to masquerade as coming from legitimate executive senders of various industries, including healthcare, electronics, transport, defense, and the military.
- Once the payload was executed, the second wave of attack was triggered to download a PowerShell script to load a backdoor into the victim’s system’s memory.
Currently, this malware is still in action. Its current functionality is designed to scan for the presence of antivirus software.
Analysis of the new malware strains is ongoing.
A few months back Mandiat, an American cybersecurity firm reported 74% of the world’s UNC2529 victims being in the US, and of them:
- 22% – business services industry
- 17% – financial industry
- 13% – healthcare industry
- 14% – retail/consumer products industry
- 9% – aeromil
- 9% – engineering and manufacturing
- 4% – national government
- 4% – primary education
- 4% – transportation industry
- 4% – utilities industry
How is your state of IT security?
or call us right now: (201) 493-1414
Use email best practices to minimize malware risk:
- Identify common red flags. Suspicious emails may contain external email tags but purport to come from internal sources, grammar and spelling errors, oddly placed upper and lower-case letters, incorrect or missing signature blocks or company logos, or words uncommonly used in everyday communications.
- When in doubt, throw it out: If a message or a request looks suspicious or is “too good to be true,” delete it.
- Refrain from taking action, such as clicking links or opening attachments, on any emails received from unknown senders. Links and attachments delivered in emails are the most common tactics used by threat actors to deliver malware to end-user devices.
- Confirm the legitimacy of emails from known senders that request sensitive information by contacting the sender via a separate means of communication. Threat actors often impersonate legitimate and known individuals and academic institutions to convince targets to take the desired action that would compromise their device, data, or account.
- Say “no” to macros. If a file is accidentally downloaded, refrain from enabling macros or content as this is often a technique used to deliver malware.
- Verify domain names. Hover your mouse over the link to verify the URL before clicking or, instead, manually type the URL directly into the address bar of your browser. Once the website’s legitimacy is confirmed, bookmark the page when needed.