Hackers Posing as Law Firms Phish Global Orgs in Multiple Languages

Earlier this month, cybercriminals masquerading as law firms tricked multiple companies into downloading initial access malware that may precede greater attacks down the line.

The group in question, which BlueVoyant tracks as "Narwhal Spider" (aka TA544, Storm-0302), is well-known to cyber researchers, with financially motivated campaigns dating back at least to 2017. Recently, it was observed exploiting a one-day vulnerability in Windows SmartScreen.

Two weeks back — on March 7 — the group pulled off its latest heist: a near-instantaneous phishing onslaught, with initial access malware hidden inside of PDFs dressed up as legal invoices.

"It seems like it was a smash and grab," says Joshua Green, senior security researcher for BlueVoyant. "Infrastructure up, send out as much as possible in a widespread phishing campaign, and then shut the infrastructure down and move on."

Fake Legal Invoices

Each of Narwhal Spider's emails began with a malicious PDF designed to look like an authentic invoice for legal services. The files were given legitimate-seeming names in the format: "Invoice_[number]_from_[law firm name].pdf."

As Green says, "It's a pretty standard tactic because it works — the lure of a receipt, especially if you're not expecting it. And the addition of [impersonating] top-of-mind law firms, for people in professional circles, makes the end user more curious. You know, 'Let me click and go see what's going on here'."

The WordPress sites used for command-and-control (C2) in this campaign included domains linked to WikiLoader, a shifty downloader first described by Proofpoint last spring. Among other anti-analysis techniques, WikiLoader is best known for a little trick: sending an HTTPS request to Wikipedia to determine if it's in an Internet-connected device or an isolated sandbox environment. For redundancy, it also pings an unregistered domain and terminates if a valid response is returned. Sandboxes are often designed to feed valid responses no matter the query, to encourage malware samples to do their thing.

So far, WikiLoader tends to precede more actionable and destructive malware. In its recent SmartScreen campaign, that malware was Remcos RAT, but these attacks have also been harbingers for the SystemBC RAT and Narwhal Spider's historically favorite malware, the Gozi (Ursnif) banking Trojan.

This time around, VirusTotal uploads associated with the campaign suggest that the banking Trojan/loader IcedID may be one such follow-on payload.

What Orgs Can Do

Historically, Narwhal Spider has specialized in targeting Italian organizations, but "towards the end of last year, this adversary started expanding. This shows that they are well within range of targeting the US, specifically," Green warns. The March 7 attacks also reached targets in Canada and Europe.

The group has escaped its bubble by crafting barebones emails in multiple languages, something that has become ever more common lately, thanks to modern AI translation tools.

So to any organization that might receive one of these emails, BlueVoyant recommends keeping an eye out for unusual traffic patterns, or any influx of external PDF invoices, particularly those with files that follow the "Invoice_[number]_from_[law firm name].pdf" format. And, Green adds, companies need to adequately train their employees in how to spot phishing emails.

"It's a pretty standard trope, but: the end user is the weakest point in most enterprise environments," he says.