In January and February 2023, two separate threat campaigns that distributed the malware strains GootLoader and FakeUpdates (also known as SocGholish) targeted six different law firms. GootLoader, a first-stage downloader active since late 2020, is capable of distributing various secondary payloads, including Cobalt Strike and ransomware.
Notably, it uses SEO poisoning to direct victims looking for business-related files to drive-by download websites that have JavaScript malware. Security firm eSentire has described a campaign in which threat actors are said to have infiltrated trustworthy but susceptible WordPress websites and secretly uploaded new blog posts.
“When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader,” eSentire researcher Keegan Keplinger stated in January 2022.
The eSentire revelation is the most recent in a string of cyberattacks that have breached targets using the Gootkit malware loader. GootLoader is not the only JavaScript malware that preys on law firm staff members and business professionals. SocGholish, a downloader with the ability to download additional executables, has also been used in a different series of cyberattacks.
The infection chain is also crucial for using a law firm-frequented website as a watering hole to spread the malware. Another notable feature of the twin intrusion sets is the lack of ransomware deployment and the preference for hands-on action. This raises the possibility that the assaults’ scope may have expanded to encompass espionage activities.
According to Keplinger, email was the main infection channel employed by opportunistic threat actors up to 2021. Between 2021 and 2023, browser-based cyberattacks increased steadily to challenge email as the primary infection channel. GootLoader, SocGholish, SolarMarker, and new initiatives using Google Ads to float top search results have all played a significant role in this.
