HomeCII/OTPhony Law Firms Pretending to be Hackers Targeting Global Organizations

Phony Law Firms Pretending to be Hackers Targeting Global Organizations

Published on

spot_img

Cybercriminals posing as law firms have recently been able to deceive multiple companies into downloading initial access malware, setting the stage for potentially more damaging attacks in the future. The group behind this scheme, known as “Narwhal Spider” or TA544, has been on the radar of cybersecurity experts for several years, engaging in financially motivated campaigns since at least 2017. Their most recent tactic involved exploiting a one-day vulnerability in Windows SmartScreen to carry out their malicious activities.

On March 7, Narwhal Spider executed a swift phishing attack, distributing malware-laden PDFs disguised as legitimate legal invoices. According to Joshua Green, a senior security researcher at BlueVoyant, the operation appeared to be a hit-and-run strategy, with the group swiftly deploying a widespread phishing campaign before shutting down their infrastructure and moving on to the next target.

The bogus emails sent by Narwhal Spider contained PDF attachments that masqueraded as invoices for legal services, each file meticulously named to appear authentic, such as “Invoice_[number]_from_[law firm name].pdf.” Green explained that this tactic is effective because recipients are likely to open unexpected receipts, especially when they appear to be from well-known law firms, piquing the curiosity of the users.

The command-and-control (C2) infrastructure utilized by Narwhal Spider in this attack was linked to WordPress sites associated with WikiLoader, a downloader identified by Proofpoint last spring for its evasion techniques. WikiLoader is known for sending HTTPS requests to Wikipedia to determine if it is operating on an internet-connected device or a sandbox environment designed for malware analysis. If a valid response is received, the malware terminates, indicating that it is likely being analyzed in a controlled environment.

Following the initial access malware deployed in this campaign, Narwhal Spider has historically introduced more malicious payloads such as the Remcos RAT, SystemBC RAT, and the Gozi (Ursnif) banking Trojan. Recent uploads to VirusTotal suggest that the banking Trojan/loader IcedID may have been the subsequent payload in this attack.

While Narwhal Spider initially targeted Italian organizations, they have broadened their scope to include targets in the US, Canada, and Europe. By sending minimalistic emails in different languages, the group has successfully increased their reach and impact, a trend that has become more prevalent due to advancements in AI translation tools.

To protect against such threats, BlueVoyant recommends vigilance in monitoring for unusual network activity and an influx of external PDF invoices, particularly those following the “Invoice_[number]_from_[law firm name].pdf” format. Furthermore, organizations are advised to provide comprehensive training to employees on identifying and mitigating phishing emails, as human error remains a significant vulnerability in enterprise security.

Overall, the recent phishing campaign orchestrated by Narwhal Spider serves as a reminder of the ever-evolving tactics employed by cybercriminals, highlighting the importance of proactive cybersecurity measures and employee awareness to safeguard against potential threats.

Source link

Latest articles

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...

Reducing Threats from the IABs Market

As ransomware attacks continue to escalate in frequency and severity, one of the key...

More like this

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...
en_USEnglish