Phishing attacks have spawned a slew of new malware threats in recent days, according to researchers who've identified a serious threat actor behind three new connected malware families — which have been labeled as Doubledrag, Doubledrop, and Doubleback — and another unrelated threat called Panda Stealer, which is a variant of a cryptocurrency stealer and is mostly being spread via global email spam.
Here's a rundown on these new malware discoveries, including what researchers have found and the implications herein: Let's start with a report from FireEye’s Mandiant cybersecurity team, which revealed malware strains that have never been seen before, with “professionally coded sophistication,” and that came in two waves of phishing attacks globally. These attacks hit some 50 organizations at the end of 2020, with the first wave reported on December 2 and the second wave coming between December 11 and December 18.
In both waves, the US was the main target. “In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries,” the report notes. “Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded sophistication of the malware, this threat actor appears experienced and well resourced.” These phishing campaigns were built around tricking recipients into opening emails containing inline links to malicious URLs and subsequently tricking the victim into downloading dangerous files.
Because of this, it's worth reiterating that there's never a bad time to brush up on the best practices governing how to protect yourself from phishing attacks and emails that, more than ever, can look like they're the real thing — a package delivery update, or an alert from your bank or credit card company, for example. Here's a helpful rundown of some strategies to follow to stay safe from phishing attacks.
Meantime, the Panda Stealer malware we mentioned above was revealed, thanks to researchers from Trend Micro, to be targeting people around the world, including in the US, Japan, Australia, and Germany. “Panda Stealer is deployed through spam emails posing as business quote requests to lure unwary victims into opening malicious Excel files,” the researchers explain.
This one sounds particularly nasty. “Once installed,” the researchers continue, “Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum. Not only does it target cryptocurrency wallets, it can steal credentials from other applications such as NordVPN, Telegram, Discord, and Steam.”
Furthermore, Panda Stealer is also able to take screenshots of the infected computer and to exfiltrate data from browsers like cookies, passwords, and cards. The full Trend Micro report is definitely worth a read.