In January and February 2023, six different law firms were targeted as part of two different threat campaigns. goot loader and fake update (aka SocGholish) malware strain.
Active since late 2020, GootLoader is a first-stage downloader capable of delivering a wide range of secondary payloads, including Cobalt Strike and ransomware.
Specifically, it uses search engine optimization (SEO) poisoning to direct victims searching for business-related documents to drive-by download sites that drop JavaScript malware.
In a campaign detailed by cybersecurity firm eSentire, threat actors allegedly compromised legitimate but vulnerable WordPress websites and added new blog posts without the owners’ knowledge.
eSentire researcher Keegan Keplinger said in January 2022, “When a computer user navigates to one of these malicious web pages, clicks on a link, and downloads what is purported to be a business contract, the I have downloaded GootLoader at home.
The disclosure from eSentire is the latest in a string of attacks that leveraged the Gootkit malware loader to compromise targets.
GootLoader isn’t the only JavaScript malware that targets business professionals and law firm employees. Another series of attacks also involved the use of SocGholish, a downloader capable of dropping more executables.
The infection chain is even more important as law firms utilize frequently-visited websites as watering holes for distributing malware.
Another salient aspect of the twin intrusion sets in the absence of ransomware deployment is instead in favor of hands-on activity, which may have diversified the scope of attacks to include espionage. suggests that
“Before 2021, email was the primary infection vector used by opportunistic attackers,” said Keplinger. From 2021 to 2023 he will target browser-based attacks […] It is steadily growing to compete with email as the primary infection vector. “
“This is largely due to recent campaigns that leverage GootLoader, SocGholish, SolarMarker and Google Ads to surface top search results.”
