DOUBLEDRAG

DOUBLEDRAG Description

A sophisticated attack campaign that targeted a diverse group of companies from different industry verticals and a multitude of different regions has been uncovered by malware researchers. According to their findings, an unidentified threat actor (tracked as UNC2529) launched two distinct attack waves back in December 2020. Among the potential victims were entities operating in the medical, automotive, electronics, and military manufacturing industries. It appears that the main region targeted by the hackers was the US followed by EMEA (Europe, the Middle East, and Africa), certain parts of Asia and Australia. 

Three separate never-before-seen malware strains dubbed DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK were used in the operation, each performing a distinct task in the attack chain. As an initial compromise vector, the threat actor relied on phishing emails that were tailored to match each targeted organization. In general, the hackers pretended to be accountant executives offering services suitable for a variety of different industry sectors. The luring emails dropped the first malware threat in the attack chain - a downloader named DOUBLEDRAG. 

The DOUBLEDRAG Downloader

DOUBLEDRAG is the only of the three malware strains deployed by the UNC2529 hackers that is not fileless. It is hidden inside either heavily obfuscated JavaScript files or Excel documents with embedded macros. The .js files were paired with heavily corrupted .PDF documents. It is believed that the goal was to lead the frustrated users into executing the malicious JavaScript files in an attempt to read the scrambled contents of the PDFs. 

The DOUBLEDRAG malware is not equipped with any extraneous capabilities. It is a streamlined threat designed for a singular purpose - to fetch and initiate the next-stage payload, the DOUBLEDROP dropper. 

The Mandiant researchers state that analysis of the UNC2529 campaign and the malware strains involved in it is still ongoing. The hackers implemented significant obfuscation and in-memory techniques to make any attempts at analyzing the threatening tools that much harder.