Triple DOUBLE Malware Family
First observed in December 2020, the Triple DOUBLE malware family is used by the UNC2529 APT group in targeted spear phishing attacks against a range of industries globally.
Summary
First observed in December 2020, the Triple DOUBLE malware family is used by the UNC2529 APT group in targeted spear phishing attacks against a range of industries globally.
Affected platforms
The following platforms are known to be affected:
Threat details
DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK are a trio of newly observed malware tools used by the UNC2529 advanced persistent threat group. The downloader, dropper, and backdoor, respectively, have been used in sophisticated spear phishing campaigns against large organisations across a range of industries worldwide.
Delivery & Activities
At the time of publication, there have been two waves of spear phishing carried out by UNC2529. The group created extensive profiles on potential targets and compromised a legitimate domain to ensure successful phishing attempts. Emails referenced product and events specific to each target and posed as genuine messages from business partners.
In the first wave, the emails contained a phishing URL which downloads a ZIP archive containing a corrupted PDF file and a JavaScript file. It is suspected that the PDF file has been corrupted by UNC2529 to convince users to interact with the JavaScript file, containing DOUBLEDRAG, causing it to be installed.
DOUBLEDRAG will then immediately attempt to download and install an instance of DOUBLEDROP. Interestingly, only DOUBLEDRAG exists on the file system – both DOUBLEDROP and DOUBLEBACK exist only in memory or are serialised in the registry database. DOUBLEDROP is a heavily obfuscated PowerShell script that launches DOUBLEBACK into a new copy of msiexec.exe.
Once installed, DOUBLEBACK will check if it is the only instance of itself running and will terminate that latest instance of itself if not. It then attempts to contact a command and control server. DOUBLEBACK’s functionality is provided by several plugins, which are specific to each target and configured using data sent from the C2 server. Once properly configured, DOUBLEBACK will await further commands from the C2 server.
In the second wave of attacks, the ZIP archive containing DOUBLEDRAG was dropped in favour of a Microsoft Excel file with embedded malicious macros that downloads DOUBLEDROP.
Remediation advice
To prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
Last edited: 7 May 2021 10:19 am