In January and February 2023, two separate threat campaigns that distributed the malware strains GootLoader and FakeUpdates (also known as SocGholish) targeted six different law firms. GootLoader, a first-stage downloader active since late 2020, is capable of distributing various secondary payloads, including Cobalt Strike and ransomware.
“When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader,” eSentire researcher Keegan Keplinger stated in January 2022.
The infection chain is also crucial for using a law firm-frequented website as a watering hole to spread the malware. Another notable feature of the twin intrusion sets is the lack of ransomware deployment and the preference for hands-on action. This raises the possibility that the assaults’ scope may have expanded to encompass espionage activities.
According to Keplinger, email was the main infection channel employed by opportunistic threat actors up to 2021. Between 2021 and 2023, browser-based cyberattacks increased steadily to challenge email as the primary infection channel. GootLoader, SocGholish, SolarMarker, and new initiatives using Google Ads to float top search results have all played a significant role in this.