The UNC2529 Triple Double: A Trifecta Phishing Campaign

In December 2020, Mandiant observed a widespread, global phishing
campaign targeting numerous organizations across an array of
industries. Mandiant tracks this threat actor as UNC2529.
Based on the considerable infrastructure employed, tailored phishing
lures and the professionally coded sophistication of the malware, this
threat actor appears experienced and well resourced. This blog post
will discuss the phishing campaign, identification of three new
malware families, DOUBLEDRAG, DOUBLEDROP and DOUBLEBACK, provide a
deep dive into their functionality, present an overview of the actor’s
modus operandi and our conclusions. A future blog post will focus on
the backdoor communications and the differences between DOUBLEBACK
samples to highlight the malware evolution.

UNC2529 Phishing Overview

Mandiant observed the first wave of the phishing campaign occur on
Dec. 2, 2020, and a second wave between Dec. 11 and Dec. 18, 2020.

During the initial flurry, Mandiant observed evidence that 28
organizations were sent phishing emails, though targeting was likely
broader than directly observed. These emails were sent using 26 unique
email addresses associated with the domain
tigertigerbeads<.>com, and in only a small number of cases did
we see the same address used across multiple recipient organizations.
These phishing emails contained inline links to malicious URLs such
as,
hxxp://totallyhealth-wealth[.]com/downld-id_mw<redacted>Gdczs,
engineered to entice the victim to download a file. UNC2529 employed
at least 24 different domains to support this first, of a three-stage process.

The structure of URLs embedded in these phishing emails had the
following patterns, where the string was an alphabetic variable of
unknown function.

http://<fqdn>/downld-id_<string>
http://<fqdn>/downld-id-<string>
http://<fqdn>/files-upload_<string>
http://<fqdn>/files-upload-<string>
http://<fqdn>/get_file-id_<string>
http://<fqdn>/get_file-id-<string>
http://<fqdn>/zip_download_<string>
http://<fqdn>/zip_download-<string>

The first stage payload downloaded from these URLs consisted of a
Zip compre

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: The UNC2529 Triple Double: A Trifecta Phishing Campaign