fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Worldwide Phishing Attacks Deliver Three New Malware Strains

https://open.spotify.com/show/3Gmj15x6cGrgJEzmGnDTTj

Worldwide Phishing Attacks Deliver Three New Malware Strains

A global-scale phishing campaign targeted worldwide organizations across an extensive array of industries with never-before-seen malware strains delivered via specially-tailored lures.

The attacks hit at least 50 orgs from a wide variety of industries in two waves, on December 2nd and between December 11th and 18th, according to a Mandiant report published today.

UNC2529, as Mandiant threat researchers track the “uncategorized” threat group behind this campaign, has deployed three new malware strains onto the targets’ computers using custom phishing lures.

From downloader to backdoor

The malware used by UNC2529 in these attacks is heavily obfuscated to hinder analysis, and it attempts to evade detection by deploying payload in-memory whenever possible.

“The threat actor made extensive use of obfuscation and fileless malware to complicate detection to deliver a well coded and extensible backdoor,” Mandiant said.

Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers’ command-and-control (C2) servers.

The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library.

Also Read: Practitioner Certificate In Personal Data Protection: Everything You Need To Know

The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender’s antivirus engine is not running on the compromised computer.

In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device.

“One interesting fact about the whole ecosystem is that only the downloader exists in the file system,” Mandiant added.

“The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines.”

Signs of spear phishing

UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails.

The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients.

They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected.

“Masquerading as the account executive, seven phishing emails were observed targeting the medical industry, high-tech electronics, automotive and military equipment manufacturers, and a cleared defense contractor with subject lines very specific to the products of the California-based electronics manufacturing company,” according to Mandiant.

UNC2529’s phishing campaign was not focused on a single industry vertical or a single region during the two waves of attacks.

While the threat group’s primary target area was the US, the attacks also targeted organizations from EMEA (Europe, the Middle East, and Africa), Asia, and Australia.

First wave of UNC2529 phishing attacks

“Although Mandiant has no evidence about the objectives of this threat actor, their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups,” Mandiant concluded.

“DOUBLEBACK appears to be an ongoing work in progress and Mandiant anticipates further actions by UNC2529 to compromise victims across all industries worldwide.”

Also Read: The DNC Singapore: Looking At 2 Sides Better

Indicators of compromise, including malware hashes and domains used to deliver the phishing emails, are available at the end of Mandiant’s report.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us