The Threat Fusion Center (TFC), a division of BlueVoyant, has uncovered the “NaurLegal” phishing campaign with fake invoices from law firms. The attackers rely on PDF documents, OneNote or Excel files that are infected with malware.
The attackers pose as law firms and abuse the trust that their victims place in legal service providers. The campaign is called “NaurLegal” and the attacks are believed to have been orchestrated by cybercrime group Narwhal Spider (also known as Storm-0302, TA544).
The attackers disguise malicious PDF files as authentic-looking invoices from reputable law firms - a tactic aimed at luring victims in various industries. The NaurLegal campaign feigns legitimacy by creating and sending PDF files with legitimate-looking file names such as “Invoice_[number]_from_[law firm name].pdf.” This strategy takes advantage of the recipients' expectation of routinely receiving legal documents in everyday business life. This approach increases the likelihood that recipients will open the malware-infected files.
Technical details of the malware used
The NaurLegal campaign infrastructure includes domains associated with WikiLoader and whose follow-up activity suggests association with this malware family. WikiLoader is known for sophisticated obfuscation techniques, such as: B. checking Wikipedia answers for specific strings to bypass sandbox environments. Narwhal Spider has used WikiLoader in the past, and the group's involvement in this campaign suggests that additional destructive malware payloads could be deployed down the line.
Reports from Virus Total indicate that IcedID could be a possible payload associated with this campaign. Additionally, this campaign's C2 infrastructure appears to rely exclusively on compromised WordPress sites - a well-known tactic used by Narwhal Spider. Given the sensitive nature of the data managed by the organizations being attacked, which includes intellectual property, corporate strategies and personal information, the stakes are particularly high in a successful intrusion.
Threat actors are expanding their reach
In the past, Narwhal Spider's WikiLoader campaigns primarily focused on Italian organizations and distributed malware via various email attachments, including Microsoft Excel, OneNote and PDF files. However, the NaurLegal campaign marks a departure from these geographically focused attacks and instead targets a broader range of organizations likely to deal with legal bills. This change in strategy highlights Narwhal Spider's adaptability and its efforts to exploit various vulnerabilities and social engineering tactics.
Attacks on supply chains and trusted partner relationships continue to increase worldwide, BlueVoyant's 2023 State of Supply Chain Defense Report shows. The expansion of the activities of threat actors such as Narhwal Spider further reinforces this trend.
Recommended protective measures
The use of malware-infected PDF files disguised as invoices from legitimate law firms is a key indicator of attacks carried out as part of this campaign. Security teams should be alert to an unusually high volume of invoices in PDF format, especially those that come from external sources and are named in the pattern “Invoice_[number]_from_[law firm name].pdf.” Using modern email security solutions capable of analyzing PDF attachments for malicious content can help detect and contain these threats.
In addition to checking incoming emails, monitoring network connections is also an important method for identifying such attacks. The campaign relies on compromised WordPress websites for C2 communications, and unusual traffic patterns or spikes in traffic to and from WordPress websites could indicate a possible infection.
More at bluevoyant.com
About BlueVoyant
BlueVoyant combines internal and external cyber defense capabilities into a results-oriented, cloud-based cybersecurity solution that continuously monitors networks, endpoints, attack surfaces and supply chains, as well as the clear, deep and dark web for threats. Comprehensive cyber defense products and services quickly illuminate, investigate and remediate threats to protect organizations.