Hackers Posing as Law Firms Phish Global Orgs in Multiple Languages

  /     /     /  
Publicated : 23/11/2024   Category : security


Hackers Posing as Law Firms Phish Global Orgs in Multiple Languages


Companies trust lawyers with the most sensitive information theyve got. Attackers are aiming to exploit that bond to deliver malware.



Earlier this month, cybercriminals masquerading as law firms tricked multiple companies into downloading initial access malware that may precede greater attacks down the line.
The group in question, which BlueVoyant tracks as Narwhal Spider (aka TA544, Storm-0302), is well-known to cyber researchers, with financially motivated campaigns dating back at least to 2017. Recently, it was observed exploiting a
one-day vulnerability in Windows SmartScreen
.
Two weeks back — on March 7 — the group pulled off its latest heist: a near-instantaneous phishing onslaught, with initial access malware hidden inside of PDFs dressed up as legal invoices.
It seems like it was a smash and grab, says Joshua Green, senior security researcher for BlueVoyant. Infrastructure up, send out as much as possible in a widespread phishing campaign, and then shut the infrastructure down and move on.
Each of Narwhal Spiders emails began with a malicious PDF designed to look like an authentic invoice for legal services. The files were given legitimate-seeming names in the format: Invoice_[number]_from_[law firm name].pdf.
As Green says, Its a pretty standard tactic because it works — the lure of a receipt, especially if youre not expecting it. And the addition of [impersonating] top-of-mind law firms, for people in professional circles, makes the end user more curious. You know, Let me click and go see whats going on here.
The WordPress sites used for command-and-control (C2) in this campaign included domains linked to WikiLoader, a shifty downloader
first described by Proofpoint
last spring. Among other anti-analysis techniques, WikiLoader is best known for a little trick: sending an HTTPS request to Wikipedia to determine if its in an Internet-connected device or an isolated sandbox environment. For redundancy, it also pings an unregistered domain and terminates if a valid response is returned. Sandboxes are often designed to feed valid responses no matter the query, to encourage malware samples to do their thing.
So far, WikiLoader tends to precede more actionable and destructive malware. In its recent SmartScreen campaign, that malware was Remcos RAT, but these attacks have also been harbingers for the SystemBC RAT and Narwhal Spiders historically favorite malware, the Gozi (Ursnif) banking Trojan.
This time around, VirusTotal uploads associated with the campaign suggest that the
banking Trojan/loader IcedID
may be one such follow-on payload.
Historically, Narwhal Spider has specialized in targeting Italian organizations, but towards the end of last year, this adversary started expanding. This shows that they are well within range of targeting the US, specifically, Green warns. The March 7 attacks also reached targets in Canada and Europe.
The group has escaped its bubble by crafting barebones emails in multiple languages, something that has become
ever more common lately
, thanks to modern AI translation tools.
So to any organization that might receive one of these emails, BlueVoyant recommends keeping an eye out for unusual traffic patterns, or any influx of external PDF invoices, particularly those with files that follow the Invoice_[number]_from_[law firm name].pdf format. And, Green adds, companies need to adequately train their employees in how to spot phishing emails.
Its a pretty standard trope, but: the end user is the weakest point in most enterprise environments, he says.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hackers Posing as Law Firms Phish Global Orgs in Multiple Languages