DOUBLEBACK

DOUBLEBACK Description

DOUBLEBACK is a newly discovered fileless malware deployed as part of an attack campaign that took place in December 2020. The threat actors responsible for the operations are tracked as UNC2529 by researchers. According to their findings, DOUBLEBACK is the final payload delivered onto the compromised systems. Its task is to establish and maintain a backdoor on the victim's machine. 

To accommodate a bigger pool of targets, the DOUBLEBACK malware gets delivered as two instances, and the one that gets executed depends on the architecture of the infected system - either 32 or 64-bit. The backdoor is loaded and injected into a PowerShell process prepped by the previous-stage malware, a dropper named DOUBLEDROP. Afterward, the threat loads its plugins and establishes a communication loop. It tries to reach its Command-and-Control (C2, C&C) servers, fetch any incoming commands, and carry them out. 

The Sophisticated Attack Campaign

Judging by the structure and scope of the operation, UNC2529 appears to have both experience and access to significant resources. The threat actors targeted entities from a multitude of industry verticals such as medical, military manufacturing, automotive and high-tech electronics. The potential victims also were spread across several geographic regions including the US, EMEA (Europe, Middle East, and Africa), Asia and Australia. 

To deliver the initial-stage threat named DOUBLEDRAG, the hackers relied on phishing emails that changed designs to match the particular target. The emails were made to appear as legitimate as possible while upholding a facade of being sent by an accountant executive. Corrupted links would lead the targeted user to a .PDF file paired with a JavaScript file. The PDFs would be corrupted to the point of their contents becoming unreadable. The targeted user would then be forced to execute the .js file in an attempt to reach the content, executing the DOUBLEDRAG downloader in the process inadvertently. It should be noted that only the downloader threat lives in the file system of the compromised device; all other subsequently delivered threats are serialized in the Registry database.