Cybercriminals Use GootLoader And FakeUpdates Malware to Target Law Firms

Cybercriminals Use GootLoader And FakeUpdates Malware to Target Law Firms

In January and February 2023, two separate threat campaigns that distributed the malware strains GootLoader and FakeUpdates (also known as SocGholish) targeted six different law firms. GootLoader, a first-stage downloader active since late 2020, is capable of distributing various secondary payloads, including Cobalt Strike and ransomware.

Notably, it uses SEO poisoning to direct victims looking for business-related files to drive-by download websites that have JavaScript malware. Security firm eSentire has described a campaign in which threat actors are said to have infiltrated trustworthy but susceptible WordPress websites and secretly uploaded new blog posts.

“When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader,” eSentire researcher Keegan Keplinger stated in January 2022.

The eSentire revelation is the most recent in a string of cyberattacks that have breached targets using the Gootkit malware loader. GootLoader is not the only JavaScript malware that preys on law firm staff members and business professionals. SocGholish, a downloader with the ability to download additional executables, has also been used in a different series of cyberattacks.

The infection chain is also crucial for using a law firm-frequented website as a watering hole to spread the malware. Another notable feature of the twin intrusion sets is the lack of ransomware deployment and the preference for hands-on action. This raises the possibility that the assaults’ scope may have expanded to encompass espionage activities.

According to Keplinger, email was the main infection channel employed by opportunistic threat actors up to 2021. Between 2021 and 2023, browser-based cyberattacks increased steadily to challenge email as the primary infection channel. GootLoader, SocGholish, SolarMarker, and new initiatives using Google Ads to float top search results have all played a significant role in this.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.

Share: