BlueVoyant Identifies Novel Threat Actor Campaign Using Fake Law Firm Invoices to Launch Phishing Attacks

BlueVoyant's Threat Fusion Cell (TFC) recently flushed out a cyber attack campaign targeting a diverse array of organizations by exploiting the inherent trust associated with legal services. We have dubbed the campaign ‘NaurLegal’ and believe it is orchestrated by the eCrime group Narwhal Spider (a.k.a. Storm-0302, TA544).

Campaign Details

The attackers disguise malicious PDF files as authentic-looking invoices from reputable law firms, a tactic designed to deceive recipients across various industries. The NaurLegal Campaign leverages the guise of legitimacy by crafting PDF files with convincing file names such as "Invoice_[number]_from_[law firm name].pdf." This strategy plays on the routine expectation of receiving legal documents in business operations, increasing the likelihood of the recipients opening the files.

The infrastructure supporting the NaurLegal Campaign includes domains linked to WikiLoader with follow-on activity lending itself to this malware attribution. WikiLoader is known for sophisticated evasion techniques, such as checking Wikipedia responses for specific strings to evade sandbox environments. Narwhal Spider has previously utilized WikiLoader, and its involvement in this campaign indicates the potential for subsequent deployment of more destructive malware payloads. Virus Total submissions hint that IcedID may be one such payload associated with this campaign. Given the sensitive nature of the data managed by the targeted organizations, which includes intellectual property, corporate strategies, and personal information, the stakes of a successful breach are particularly high. Furthermore, the C2 infrastructure associated with this campaign relies, seemingly exclusively, on compromised WordPress sites — a known tactic of Narwhal Spider.

Threat Actor Broadening Scope

Historically, Narwhal Spider's WikiLoader campaigns have primarily focused on Italian organizations, delivering malware through various email attachments, including Microsoft Excel, OneNote, and PDF files. However, the NaurLegal Campaign marks a departure from these geographically-focused attacks, instead targeting a broader spectrum of organizations that are likely to handle legal invoices. This strategic shift highlights Narwhal Spider's adaptability and its efforts to exploit different vulnerabilities and social engineering tactics.

Attacks targeting supply chains and trusted partner relationships continue to rise globally, as identified by BlueVoyant in our report “State of Supply Chain Defense Report 2023.” The expansion of operations by threat actors such as Narhwal Spider continue to support this trend.

Key Details for Network Defenders

The campaign's use of malicious PDF files disguised as invoices from reputable law firms is a key indicator. Network defenders should be alert to an unusual influx of PDF invoices, particularly those originating from external sources and following the naming convention "Invoice_[number]_from_[law firm name].pdf." Implementing advanced email security solutions capable of analyzing PDF attachments for malicious content can help detect these threats.

In addition to mail ingress, monitoring network connections is a viable detection method for this attack. The campaign relies on compromised WordPress sites for C2 communications, and unusual traffic patterns or spikes in traffic to and from WordPress sites could indicate a potential infection.

Sources:

• BlueVoyant TFC-Derived Reporting
• https://github.com/pr0xylife/WikiLoader/blob/main/WikiLoader_07.03.2024.txt
• https://twitter.com/Cryptolaemus1/status/1765815254490005922
• https://www.bluevoyant.com/resources/the-state-of-supply-chain-defense-2023
• https://www.bankinfosecurity.com/new-malware-wikiloader-targeting-italian-organizations-a-22702

Associated MITRE Techniques:

• T1071.001, T1204.002, T1566.001