Two waves of global financial phishing attacks that flooded at least 50 companies from a vast variety of fields in December have delivered three new malware strains, according to a report from FireEye’s Mandiant cybersecurity team.

The main target area for attacks in both waves was the United States, while EMEA (Europe, the Middle East, and Africa), Asia, and Australia were targeted only in the first wave that occurred on Dec. 2, 2020.

First wave of UNC2529 phishing attacks


On Tuesday, FireEye’s Mandiant cybersecurity team stated the malware strains, named Doubledrag, Doubledrop, and Doubleback, were perceived in December 2020.

The threat actors behind the malware are being tracked as UNC2529. Given the “considerable” infrastructure they possess, their carefully crafted phishing lures, and what the specialists called the “professionally coded sophistication” of the malware, Mandiant states that the UNC2529 hackers appear to be “experienced and well-resourced.”

Phishing messages dispatched to potential targets were hardly ever based on the same email addresses and all of the emails contained subject lines that were specific to the products of the organization that the attackers were pretending to be associated with.

In several situations, attackers would pose as account executives trying to sell services suitable for different industries such as transport, the military, medicine, electronics, and defense.

How It Works

The malware ecosystem utilized by UNC2529 includes either a JavaScript-based downloader (Doubledrag) or an Excel document with an embedded macro; a dropper (Doubledrop); and a backdoor (Doubleback).

The infection begins with phishing emails that are equipped with a link to download a malicious payload that comprises a JavaScript downloader with code that’s heavily obfuscated in order to avoid examination.

Once it’s executed, Doubledrag attempts to download a dropper – Doubledrop – in the second stage of the attack chain. Doubledrop is an obfuscated PowerShell script intended to place a backdoor into memory. It has two flavors: a 32-bit and a 64-bit instance of the Doubleback backdoor.

With all that setup, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device.

One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines.


According to Mandiant, UNC2529 utilized considerable infrastructure to run the December phishing attacks.

Heimdal Official Logo
Email is the most common attack vector used as an entry point into an organization’s systems.

Heimdal® Email Security

Is the next-level email protection solution which secures all your incoming and outgoing comunications.
  • Completely secure your infrastructure against email-delivered threats;
  • Deep content scanning for malicious attachments and links;
  • Block Phishing and man-in-the-email attacks;
  • Complete email-based reporting for compliance & auditing requirements;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

About 50 organizations bore the various phases of the campaigns. Meanwhile, the hackers did their due diligence, spent time tailoring their attacks to the targeted victims, in attempt to make sure that their emails were seen as legitimate messages from business partners or clients.

This strategy was used in order to increase the chance that their booby-trapped messages were opened and the targets got infected.

Masquerading as the account executive, seven phishing emails were observed targeting the medical industry, high-tech electronics, automotive and military equipment manufacturers, and a cleared defense contractor with subject lines very specific to the products of the California-based electronics manufacturing company.


The specialists declare that Doubleback seems to be “an ongoing work in progress.” The team expects to see UNC2529 continue to compromise victims in all industries, worldwide.

Because all of the phishing initial vectors depend on convincing the user to click a link or execute an attached file, the best thing we can do in order to protect ourselves is to not click on suspicious links, even they appear to be sent by someone we know.

What is Spear Phishing? Definition, Examples, Prevention Strategies

GandCrab Ransomware Affiliate Member Was Arrested For Phishing Attacks

JavaScript Malware – a Growing Trend Explained for Everyday Users

Leave a Reply

Your email address will not be published. Required fields are marked *