How to Remove DOUBLEDROP
Advanced cybercrime groups rarely rely on a single malware family to carry out their attack – typically, they develop a set of hacking tools that would eventually support each other to ensure a swift, silent, and dangerous attack. This is the case of a trio of malware samples that were first spotted in December 2020 – DOUBLEDROP, DOUBLEBACK, and DOUBLEDRAG.
The topic of discussion is DOUBLEDROP, which was used as a secondary stage payload designed to drop the DOUBLEBACK Backdoor. In the meantime, it relies on DOUBLEDRAG for the initial deployment – DOUBLEDRAG is the downloader hidden inside a malicious document that targets of this campaign received.
DOUBLEDROP is relatively ordinary, but it has one feature that stands out compared to commercial droppers – it does not create files on the hard disk, therefore minimizing its footprint. It executes the entire operation by modifying the Windows Registry and hiding its functions there. It abuses the same technique to grant its payload (DOUBLEBACK) persistence.
Cybercriminals, especially the ones behind campaigns like this one, are constantly experimenting with new types of attacks, malicious tricks, and deployment techniques. Users and system administrators should prepare their networks to tackle such challenges by investing in reputable security software, as well as be ensuring that computer operators follow the best safe browsing security practices.