Narwhal Spider Threat Group Behind New Phishing Campaign Impersonating Reputable Law Firms

Using little more than a well-known business name and a invoice-related PDF, the “NaurLegal” phishing campaign aims at installing malware trojans.

This new campaign spotted by security analysts at BlueVoyant demonstrates how effective spear phishing can be — even when the phishing execution itself is relatively basic. According to the analysis, threat actors impersonate well-known law firms and send out PDF attachments with the filename "Invoice_[number]_from_[law firm name].pdf."

Simple enough, right?

The kicker is who they’re sending to. Narwhal Spider targeted specific industries and individuals who regularly interact with law firms, such that receiving an invoice from one would be relatively common.

This tactic is what makes an impactful phishing campaign — getting the message and the target so well-aligned that there’s not even a second though given when double-clicking an attachment on the part of the recipient.

It’s also the very reason that new-school security awareness training is necessary; employees need to be taught that they should have their defenses up with every email — even the ones they are absolutely certain are legit… because they still may not be.

And according to BlueVoyant, it appears that the payload intended is the IcedID trojan info stealer I’ve written about before that’s been around since last year. This makes a campaign like this very dangerous; play the campaign forward and you realize if the recipient is used to seeing invoices, they are in a position involved with making payments.

Take over that user account and gain access to an accounts payable system — or just do diligence on an upcoming payment and use a BEC attack to get the payment details changed — and it’s game over for the victim organization.