Three new malware families found in global finance phishing campaign
Researchers have found three new malware families used in a widespread phishing campaign entrenched in financial crime. On Tuesday, FireEye's Mandiant cybersecurity team said the malware strains, dubbed Doubledrag, Doubledrop, and Doubleback, were detected in December 2020.
The threat actors behind the malware, described as "experienced and well-resourced," are being tracked as UNC2529. Organizations in the US, EMEA region, Asia, and Australia have, so far, been targeted in two separate waves.
Phishing messages sent to potential victims were rarely based on the same email addresses and subject lines were tailored to targets; in many cases, threat actors would masquerade as account executives touting services suitable for different industries -- including defense, medicine, transport, the military, and electronics. Over 50 domains, in total, were used to manage the global phishing scheme. In one successful attack, UNC2529 successfully compromised a domain owned by a US heating and cooling services business, tampered with its DNS records, and used this structure to launch phishing attacks against at least 22 organizations.