Business services are the primary target for latest phishing malware

May 6, 2021

Researchers have found three new malware families, Doubledrag, Doubledrop, and Doubleback detected in December 2020 and tracked as UNC2529. These malware strains used in an ongoing phishing campaign throughout the financial industry are being tracked as UNC2529. Organizations in the US, EMEA region, Asia, and Australia have been targeted by the sophisticated cybercriminals

Key Elements to be aware of in the UNC2529 phishing campaign:

  • Malicious emails contained highly personalized messages.
  • Over 50 domains were similar to CEO Fraud attacks, used to masquerade as coming from legitimate executive senders of various industries, including healthcare, electronics, transport, defense, and the military.
  • The phishing emails contained links to URLs leading to corrupt files, such as a PDF, or a Zip archive containing a JavaScript file, or Excel documents that were designed to deliver the malicious payload.
  • Once the payload was executed, the second wave of attack was triggered to download a PowerShell script to load a backdoor into the victim’s system’s memory.

Currently, this malware is still in action. Its current functionality is designed to scan for the presence of antivirus software.

Analysis of the new malware strains is ongoing.

A few months back Mandiat, an American cybersecurity firm reported 74% of the world’s UNC2529 victims being in the US, and of them:

  • 22% – business services industry
  • 17% – financial industry
  • 13% – healthcare industry
  • 14% – retail/consumer products industry
  • 9% – aeromil
  • 9% – engineering and manufacturing
  • 4% – national government
  • 4% – primary education
  • 4% – transportation industry
  • 4% – utilities industry

How is your state of IT security?

or call us right now: (855) 551-7760


Use email best practices to minimize malware risk:

  • Identify common red flags. Suspicious emails may contain external email tags but purport to come from internal sources, grammar and spelling errors, oddly placed upper and lower-case letters, incorrect or missing signature blocks or company logos, or words uncommonly used in everyday communications.
  • When in doubt, throw it out: If a message or a request looks suspicious or is “too good to be true,” delete it.
  • Refrain from taking action, such as clicking links or opening attachments, on any emails received from unknown senders. Links and attachments delivered in emails are the most common tactics used by threat actors to deliver malware to end-user devices.
  • Confirm the legitimacy of emails from known senders that request sensitive information by contacting the sender via a separate means of communication. Threat actors often impersonate legitimate and known individuals and academic institutions to convince targets to take the desired action that would compromise their device, data, or account.
  • Say “no” to macros. If a file is accidentally downloaded, refrain from enabling macros or content as this is often a technique used to deliver malware.
  • Verify domain names. Hover your mouse over the link to verify the URL before clicking or, instead, manually type the URL directly into the address bar of your browser. Once the website’s legitimacy is confirmed, bookmark the page when needed.
IT Support NJ - Reputable highly rated Small Business IT services and tech support company in New Jersey - powersolution industry awards
IT support NJ - Reputable highly rated Small Business IT services and tech support company in New Jersey - powersolution IT industry awards
Scroll to Top