Highly customized and targeted phishing campaign delivers 3 new malware

Highly customized and tailored phishing attempts across multiple industries and geos were reported by FireEye on May 4th, 2021. There are two important aspects of this campaign; firstly, the messages were customized and tailored for different parts of the industry, and secondly, three never-seen-before malware were delivered. The campaigns are attributed to a threat actor group named as UNC2529. Mandiant observed evidence that 28 organizations were sent phishing emails, though targeting was likely broader than directly observed. UNC2529 employed at least 24 different domains to support this.
UNC2529 displayed indications of target research based on their selection of sender email addresses and subject lines which were tailored to their intended victims. For example, UNC2529 used a unique username, masquerading as an account executive of a small California-based electronics manufacturing company. Impersonating the account executive, seven phishing emails were observed targeting the medical industry, high-tech electronics, automotive and military equipment manufacturers, and a cleared defense contractor. Each email had a subject line specific to the products of the California-based electronics manufacturing company.

Multiple industries were targeted using customized phishing subjects, a few of which are mentioned below.
Industry / Vertical Phishing email subjects
Transport / Freight compton ca to flowery branch ga
Utility company easement to bore to our stairwell area
Financial institutions outdoors environment (1 out of 3)
accepted: follow up with butch & karen
Insurance fw: certificate of insurance
fw: insurance for plow
IT services good day candidate, your vacancy # xcmxydis4s
hello worker, your work number- u39hbutlsf
Delivery of 3 unseen malware:
These phishing emails contained inline links to malicious URLs such as, hxxp://totallyhealth-wealth[.]com/downld-id_mwGdczs. The emails were engineered to entice the victim to download a file. The downloaded files from these URLs consisted of a Zip file containing a corrupt decoy PDF document and a heavily obfuscated JavaScript downloader. This will download a dropper which in turn will download a backdoor. These 3 malicious files are named DOUBLEDRAG for the downloader, DOUBLEDROP memory only dropper and DOUBLEBACK for the backdoor.
SecurityAdvisor Employee Tips :
Spot the emails which ask you to download the file from the internet and lure you into unzipping, opening and/or executing them.
Emails with seemingly routine business subjects from new or unknown senders, with links or attachments, is a red alert.

Always remember attackers have studied your routine business communication to send you an enticing phishing email.
Phishing attacks blend in with usual business email traffic; this is a trend for which users must be aware.
 

Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Request Demo