Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware

1 year ago AndyC

Mar
01,
2023Ravie
LakshmananThreat
Intelligence
/
Malware

Six
different
law
firms
were
targeted
in
January
and
February
2023
as
part
of
two
disparate
threat
campaigns
distributing

GootLoader
and

FakeUpdates
(aka
SocGholish)
malware
strai

Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware



Mar
01,
2023Ravie
LakshmananThreat
Intelligence
/
Malware


Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware

Six
different
law
firms
were
targeted
in
January
and
February
2023
as
part
of
two
disparate
threat
campaigns
distributing


GootLoader
and


FakeUpdates
(aka
SocGholish)
malware
strains.


GootLoader,
active
since
late
2020,
is
a
first-stage
downloader
that’s
capable
of
delivering
a
wide
range
of
secondary
payloads
such
as
Cobalt
Strike
and
ransomware.

It
notably

employs
search
engine
optimization
(SEO)
poisoning
to
funnel
victims
searching
for
business-related
documents
toward
drive-by
download
sites
that
drop
the
JavaScript
malware.

In
the

campaign
detailed
by
cybersecurity
company
eSentire,
the
threat
actors
are
said
to
have
compromised
legitimate,
but
vulnerable,
WordPress
websites
and
added
new
blog
posts
without
the
owners’
knowledge.

“When
the
computer
user
navigates
to
one
of
these
malicious
web
pages
and
hits
the
link
to
download
the
purported
business
agreement,
they
are
unknowingly
downloading
GootLoader,”
eSentire
researcher
Keegan
Keplinger

said
in
January
2022.


GootLoader and FakeUpdates Malware

The
disclosure
from
eSentire
is
the
latest
in
a
wave
of
attacks
that
have
utilized
the
Gootkit
malware
loader
to
breach
targets.

GootLoader
is
far
from
the
only
JavaScript
malware
targeting
business
professionals
and
law
firm
employees.
A
separate
set
of
attacks
have
also
entailed
the
use
of

SocGholish,
which
is
a
downloader
capable
of
dropping
more
executables.

The
infection
chain
is
further
significant
for
taking
advantage
of
a
website
frequented
by
legal
firms
as
a

watering
hole
to
distribute
the
malware.

Another
standout
aspect
of
the
twin
intrusion
sets
in
the
absence
of
ransomware
deployment,
instead
favoring
hands-on
activity,
suggesting
that
the
attacks
could
have
diversified
in
scope
to
include
espionage
operations.

“Prior
to
2021,
email
was
the
primary
infection
vector
used
by
opportunistic
threat
actors,”
Keplinger
said.
From
2021
to
2023,
browser-based
attacks
[…]
have
steadily
been
growing
to
compete
with
email
as
the
primary
infection
vector.”

“This
has
been
largely
thanks
to
GootLoader,
SocGholish,

SolarMarker,
and
recent
campaigns

leveraging
Google
Ads
to
float
top
search
results.”

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns

1 hour ago AndyC
Chinese Nationals Arrested for Laundering Million in Pig Butchering Crypto Scam

Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam

19 hours ago AndyC
Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

19 hours ago AndyC
Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

3 days ago AndyC
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

3 days ago AndyC
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

3 days ago AndyC

You may have missed

Grandoreiro Banking Trojan is back and targets banks worldwide

Grandoreiro Banking Trojan is back and targets banks worldwide

1 hour ago AndyC
Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns

1 hour ago AndyC
Sekuro Appoints its First Federal Government Security Advisor

Sekuro Appoints its First Federal Government Security Advisor

7 hours ago AndyC
Weekly Update 400

Weekly Update 400

7 hours ago AndyC
Macquarie Uni to spend up to 0m on 10-year digital transformation

Macquarie Uni to spend up to $700m on 10-year digital transformation

10 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.