DOUBLEDROP Description

A new attack campaign involving three never-before-seen malware tools has been detected by security researchers. The operations took place in December 2020 and consisted of two distinct waves of activity. The used infrastructure and malware threats show that the threat actors have both experience and access to sufficient resources. The researchers designated the hackers as UNC2529 while the three threatening strains were dubbed DOUBLEDRAG, DOUBLEDROP and DOUBLEBACK.

The attack campaign involved the dissemination of phishing emails tailored to match each specific victim. The targeted entities came from multiple industry verticals - military manufacturing, high-tech electronics, medicine, and automotive. While most were located in the US, potential victims were also detected in the EMEA region (Europe, the Middle East, and Africa), Asia and Australia. The bait emails were designed to appear as if they are being sent by an accounting executive offering services related to the victim's operations. 

The DOUBLEDROP Functionality

The DOUBLEDROP malware acted as a middle-stage tool responsible for fetching and executing the final DOUBLEBACK backdoor payload onto the compromised system. It consists of an obfuscated PowerShell script that operates in the memory. It comes bundled with two instances of the next-stage backdoor tool with the one that gets executed depends on whether the infected system runs on a 32 or 64-bit architecture. Both DOUBLEDROP and DOUBLEBACK do not exist in the file system of the victim and are instead serialized in the Registry database.