As part of a new barrage of global cyberattacks to distribute malware on targeted computers, the GootLoader campaign’s operators are now focusing on workers of accounting and legal companies, indicating that the adversary is expanding its emphasis to other high-value targets.
“GootLoader is a stealthy initial access malware, which after getting a foothold into the victim’s computer system, infects the system with ransomware or other lethal malware,” researchers from eSentire said in a report.
Three law businesses and an accounting company were targeted by the cybersecurity services provider, which said it detected and removed the attacks. Malware may infect clients’ computers in multiple ways, including poisoned search results, false updates, and trojanized apps downloaded from sites that link to unlicensed software. The first method is used by GootLoader.
Details of a global drive-by download offensive were revealed in March 2021, which involved duping unsuspecting victims into visiting compromised WordPress websites belonging to legitimate businesses using a technique known as search engine poisoning, which pushes these sites to the top of search results.
According to researchers’ write-up, their method is to lure a business professional to one of the hacked websites and then have them click on a link leading to Gootloader, which tries to recover the final payload, whether it be a banking trojan, ransomware, or an intrusion tool/credential stealer.
According to eSentire, more than 100,000 malicious web pages were set up during the previous year on websites representing organizations in the hotel industry, high-end retail, education, healthcare, music, and visual arts, with one of the compromised websites hosting 150 rogue pages designed to social engineer users looking for postnuptial or intellectual property agreements.
On the other hand, the websites are hacked via exploiting security flaws in the WordPress content management system (CMS), allowing the attackers to secretly inject their chosen pages without the website owner’s awareness. GootLoader’s nature and the way it’s crafted to provide a backdoor into systems suggests that the goal of the attacks could be intelligence gathering. Still, it could also be used to deliver additional damaging payloads to compromised systems for follow-on attacks, such as Cobalt Strike and ransomware.
To prevent such dangers, organizations should implement a screening procedure for business agreement samples, teach staff to open documents only from trustworthy sources, and ensure that the material obtained matches the content meant to be downloaded.