DOUBLEBACK is a newly discovered fileless malware deployed as part of an attack campaign that took place in December 2020. The threat actors responsible for the operations are tracked as UNC2529 by researchers. According to their findings, DOUBLEBACK is the final payload delivered onto the compromised systems. Its task is to establish and maintain a backdoor on the victim's machine.
To accommodate a bigger pool of targets, the DOUBLEBACK malware gets delivered as two instances, and the one that gets executed depends on the architecture of the infected system - either 32 or 64-bit. The backdoor is loaded and injected into a PowerShell process prepped by the previous-stage malware, a dropper named DOUBLEDROP. Afterward, the threat loads its plugins and establishes a communication loop. It tries to reach its Command-and-Control (C2, C&C) servers, fetch any incoming commands, and carry them out.
The Sophisticated Attack Campaign
Judging by the structure and scope of the operation, UNC2529 appears to have both experience and access to significant resources. The threat actors targeted entities from a multitude of industry verticals such as medical, military manufacturing, automotive and high-tech electronics. The potential victims also were spread across several geographic regions including the US, EMEA (Europe, Middle East, and Africa), Asia and Australia.