In recent months, six law firms fell victim to distinct cybersecurity threats targeting them with GootLoader and FakeUpdates (also known as SocGholish) malware during January and February 2023. These campaigns highlight an alarming trend in the increasing sophistication of cyber attacks aimed at the legal sector.
GootLoader, a downloader first identified in late 2020, has emerged as a significant player in the cybercrime landscape. It is notably capable of delivering a variety of secondary payloads, including advanced malware like Cobalt Strike and various ransomware variants. Notably, GootLoader employs search engine optimization (SEO) techniques to manipulate search results, directing potential victims who seek business-related documents to malicious sites where the JavaScript-based malware is downloaded without the user’s consent.
According to cybersecurity firm eSentire, this particular campaign involved the threat actors compromising legitimate but vulnerable WordPress websites. They injected malicious content, allowing them to masquerade as legitimate business agreements. Users who unwittingly navigated to these compromised sites would initiate the download of GootLoader when they clicked on links offering these fraudulent agreements.
Keegan Keplinger, a researcher at eSentire, emphasized that users are often unaware that they are downloading harmful software until it is too late, marking a significant escalation in the methods employed by cybercriminals targeting legal professionals. This has resulted in a notable uptick in breaches facilitated by GootLoader, reinforcing its place within the landscape of malicious JavaScript attacks aimed at business professionals.
In addition to GootLoader, the attackers also utilized SocGholish to facilitate infections during these campaigns. SocGholish acts as a downloader for additional executables, enhancing the attackers’ ability to deploy various malicious tools. The strategic choice of websites frequented by legal firms as watering holes for malware distribution is particularly concerning, as it underscores the ongoing evolution of tactics used in espionage operations.
Uncharacteristically, these attacks did not deploy ransomware but rather leaned toward hands-on approaches, suggesting a potential pivot in the attackers’ objectives. The engagement in such techniques could imply a shift toward data theft or corporate espionage, rather than immediate financial extortion.
Keplinger noted that prior to 2021, phishing emails constituted the primary means of infection for threat actors. However, between 2021 and 2023, the frequency of browser-based attacks has risen markedly, now rivaling email as a primary vector for exploitation. This shift has largely been fueled by the effectiveness of GootLoader, SocGholish, and other malware like SolarMarker, with recent campaigns even leveraging Google Ads to boost visibility in search engine results.
The tactics employed in these attacks may align with several stages of the MITRE ATT&CK framework. Techniques such as initial access through compromised web infrastructure, persistence via the installation of malware, and privilege escalation after executing malicious code demonstrate the layered approaches employed by attackers in the legal sector.
Overall, these incidents serve as a reminder of the increasingly complex and targeted nature of cyber threats. Entities operating within the legal domain must remain vigilant and proactive in their cybersecurity posture to mitigate the risks posed by such advanced malware strategies.
