Threat actors target law firms with GootLoader and SocGholish malware

Cyber criminals are targeting law firms with GootLoader and FakeUpdates (aka SocGholish) malware families.

Researchers from eSentire have foiled 10 cyberattacks targeting six different law firms throughout January and February of 2023.

The firms were targeted as part of two distinct campaigns aimed at distributing GootLoader and FakeUpdates (aka SocGholish) malware.

“The attacks emanated from two separate threat campaigns. One campaign attempted to infect law firm employees with the GootLoader malware. The other campaign hit law firm employees and other victims with the SocGholish malware.” reads the analysis published by the experts.

GootLoader runs on an access-a-as-a-service model, it is used by different groups to drop additional malicious payloads on the compromised systems. GootLoader has been known to use fileless techniques to deliver threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike. In the past, GootLoader distributed malware masquerading as freeware installers and it used legal documents to trick users into downloading these files. 

The attack chain starts with a user searching for specific information in a search engine. Attackers use black SEO technique to display a website compromised by GootLoader operators among the results.

Upon visiting the website, the victim will notice that it is presented as an online forum directly answering his query. This forum hosted a ZIP archive that contains the malicious .js file, which is used to establish persistence and drop a Cobalt Strike binary in the memory of the infected system.

In the campaign blocked by eSentire, the threat actors compromised legitimate WordPress websites and added new blog posts without the knowledge of their admins.

The titles and the content of the posts were crafted to trick visitors into clicking the embedded links to download a purported business agreement, however, they are actually downloading GootLoader.

“While the term “agreement” is the commonly observed keyword in titles, GootLoader catches legal employees with other legal language too, such as “contract salary calculator.” Gootloader uses legal titles in such a way that when a business professional searches on the Internet for specific contracts or agreements, there is little SEO competition for the collection of words used together, thus GootLoader-infected blogs often rise to the top five search results. Once the legal employee clicks on the link, they’re presented with a fake forum page providing an alleged agreement template or contract template.” continues the analysis. “When the employee downloads and executes the document, they are actually downloading and executing the GootLoader malware.”

In another threat campaign observed in January, attackers attempted to infect law firm employees and other business professionals with the SocGholish malware.

SocGholish is a JavaScript framework that acts as a loader for other malware campaigns, most commonly Cobalt Strike payloads.

In the campaign blocked by the researchers, threat actors conducted a watering hole attack by compromising a website (Notary Public’s website) frequented by legal firms to distribute the malware.

“TRU observed that the GootLoader attacks in 2022 and those in January and February are not leading to Ransomware malware, which is curious. The increased absence of Ransomware being deployed in these attacks, while maintaining success in infecting legal firms, and a willingness to engage in hands-on intrusions, suggests the possibility that the GootLoader operations have shifted to not only supporting financially-motivated attacks but also supporting politically-motivated and cyber espionage operations.” concludes the analysis.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, law firms)