Serving malware via physical legal documents
I have decided to post about a personal trick I created and have used for quite a while. Given that most process servers are private entities, rather than actual members of the court, they are ready for hire without filing an actual legal process. Thus, it is possible for an official looking person to arrive at a target and present the payload in person without ever leaving a trace of your identity. This physical legal document has successfully gained my administrator credentials from targets that normally have a high level of security awareness, and usually catch phishing attempts.
Upon being served the document, by an authentic and unwitting process server, the target will try to react as this is a legal notice. Usually, this involves writing a reply. If they reply by email, then I can spike the PDF of subsequent exchanges. However, some may note that there is no return address specified in the document. This is intentional, as it drives users to the infected website to find the address or phone number of the legal counsel. This causes the victim to open a malware infested webpage that they otherwise may avoid and, in the case of my targets, disable their browser protection plugins such as NoScript.
Phishing is always going to catch some victims off guard, but there tend to be stubborn targets. Given the nature of the legal system in most modern countries, including the USA, it is worth noting that most people will want to get a legal threat off their table as quickly as possible. Combined with the knowledge that incidents such as employees using corporate networks for nefarious purposes leads to this as a useful attack vector. Companies receive notices such as this cease and desist fairly often, and respond with the usual “the employee has been fired/disciplined/otherwise dealt with.” However, given that law firms have power to do significant damage, and almost universally do not have PGP signed emails or documents, there is little a business can do to avoid opening the affected law firm site or emails in one way or another.
Risk here can be mitigated by sandboxing the unknown source in a virtual environment. For the administrator I last targeted with this, an additional recommendation was to not use an administrator account for daily activities but rather a standard account, leaving the admin credentials for when actually performing admin duties.