Earlier this month, cybercriminals masquerading as law firms tricked several companies into downloading early access malware that could precede larger attacks down the line.
The group in question, which BlueVoyant tracks as the “Narwhal Spider” (aka TA544, Storm-0302), is well known to cyber researchers, with financially motivated campaigns dating back to at least 2017. Recently, it has been observed exploiting a One-day vulnerability in Windows SmartScreen.
Two weeks ago, on March 7, the group pulled off its latest heist: a near-instant phishing attack, with initial login malware hidden inside PDFs disguised as legal invoices.
“It appears to have been a success,” says Joshua Green, senior security researcher for BlueVoyant. “Set up the infrastructure, send as much as you can into a widespread phishing campaign, then shut down the infrastructure and move on.”
Fake legal invoices
Each Narwhal Spider email began with a malicious PDF designed to look like a genuine invoice for legal services. The files have been given seemingly legitimate names in the format: “Invoice_[number]_from_[law firm name].PDF.”
As Green says, “It’s a pretty standard tactic because it works: the recall of a receipt, especially if you’re not expecting it. And the addition of [impersonating] high-level law firms, for people who belong to professional environments, make the end user more curious. You know, ‘Let me click and I’ll go see what’s going on here’.”
The WordPress sites used for command and control (C2) in this campaign included domains linked to WikiLoader, a dubious downloader first described by Proofpoint the last spring. Among other anti-parsing techniques, WikiLoader is best known for a little trick: sending an HTTPS request to Wikipedia to determine whether it is on an Internet-connected device or in an isolated sandbox environment. For redundancy purposes, it also pings an unregistered domain and terminates if a valid response is returned. Sandboxes are often designed to provide valid answers regardless of the query, to encourage malware samples to do their thing.
So far, WikiLoader tends to precede more effective and destructive malware. In the recent SmartScreen campaign, the malware was Remcos RAT, but these attacks were also a harbinger of SystemBC RAT and Narwhal Spider’s historically favored malware, the Gozi (Ursnif) banking trojan.
This time, VirusTotal uploads associated with the campaign suggest that the IcedID banking Trojan/loader it could be one of these follow-on payloads.
What organizations can do
Historically, Narwhal Spider has specialized in targeting Italian organizations, but “towards the end of last year, this adversary began to expand. This shows that they are well within range to specifically target the United States” , warns Green. The March 7 attacks also reached targets in Canada and Europe.
The group escaped its bubble by creating simple emails in multiple languages, something it has become increasingly common latelythanks to modern AI translation tools.
Therefore, for any organization that may receive one of these emails, BlueVoyant recommends keeping an eye out for unusual traffic patterns or any influx of external PDF invoices, especially those with files that follow “Invoice_[number]_from_[law firm name].pdf.” And, Green adds, companies need to properly train their employees on how to spot phishing emails.
“It’s a pretty standard cliché, but: the end user is the weakest link in most business environments,” he says.