Law firms targeted in GootLoader and FakeUpdates malware campaigns

Two campaigns launched

Law firms targeted in GootLoader and FakeUpdates malware campaigns

Legal firms are one of the primary targets for cybercriminals because they have access to sensitive information. According to cybersecurity firm eSentire, in January and February 2023, six different law firms were targeted in two separate attack campaigns that deployed the GootLoader and SocGholish[1] malware. The attacks used sophisticated techniques to infiltrate law firms' networks and systems.

GootLoader is a downloader that was first identified in late 2020.[2] It has since been used to deliver a wide range of secondary payloads, such as Cobalt Strike and ransomware. The malware employs search engine optimization (SEO) poisoning to funnel victims searching for business-related documents toward drive-by download sites that drop the JavaScript malware.

In the first campaign, the attackers compromised vulnerable WordPress websites to add new blog posts that contained legal keywords. The infected blogs were used to draw legal recruits and boost the websites' search engine ranks. The victims were then routed to a fake forum website where they were prompted to download a purported agreement or contract template that was actually GootLoader.

The SocGholish malware, also known as FakeUpdates, was used by the attackers in the second campaign to target employees of law firms and other business professionals. It enables attackers to conduct reconnaissance and launch further payloads, such as Cobalt Strike and the LockBit ransomware.

The attacks used poisoned domains, including a Miami notary company’s website that had been taken over. The hacked website served the SocGholish virus in place of the pop-up notification advising users to update their Chrome browser. The SocGholish operators infect a large number of lower-traffic websites to grab high-value target websites like law firms.

Sensitive information about clients, people, and users is an attractive goal for hackers and various cybercriminals. Such campaigns where information-stealers get spread are common. Other attacks on particular companies like Google or social media platforms can expose details on users' data and lead to direct scams.

Espionage focus

The attacks on law firms using GootLoader and SocGholish malware are concerning as they appear to be focused on espionage operations rather than financial gain. The attackers did not deploy any ransomware, instead preferring hands-on activity. This suggests that the attacks could have diversified in scope to include cyber espionage operations. As eSentire researcher Keegan Keplinger noted:[3]

Prior to 2021, email was the primary infection vector used by opportunistic threat actors. From 2021 to 2023, browser-based attacks have steadily been growing to compete with email as the primary infection vector.

This trend is largely thanks to GootLoader, SocGholish, SolarMarker, and recent campaigns leveraging Google Ads to float top search results.

Apart from the potential loss of sensitive information, legal firms and other businesses targeted by malware attacks could face serious legal consequences. GootLoader uses fraudulent SEO practices to bring a page into relevant Google search results, which puts websites that use websites in danger of malware attacks.

The issue is that this downloader software changes current websites to offer various websites whenever your link is visited, changing how particular people perceive them. This may lead to severe fines and the risk of potential phishing attempts because GootLoader sends users to a page that could be used as a “trap” or “bait” for unwary users.

Prevention measures to be taken

To prevent GootLoader and other malware attacks, organizations must take preventive measures like avoiding downloading impacted plugins, especially the actual GootLoader plug-in itself.

Disaster prevention with your CMS and web pages also includes watching for warning indications like a JavaScript file being run by Wscript and a file called “agreement.js” (for English site users). Apart from this, organizations must also keep their software current, use two-factor authentication, and implement proper security protocols.

In conclusion, legal firms and businesses must stay vigilant against the growing threat of malware attacks. The GootLoader and SocGholish campaigns demonstrate the potential dangers posed by these sophisticated malware strains.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions