In January and February 2023, six law firms were targeted with the GootLoader and SocGholish malware in two separate campaigns, cybersecurity firm eSentire reports.
Targeting law firm employees, the first campaign aimed to infect victims’ devices with GootLoader, a malware family known for downloading the GootKit remote access trojan (RAT), REvil ransomware, or the Cobalt Strike implant.
According to eSentire, the attacks appear focused on espionage and exfiltration activities, given that none of the observed GootLoader infections in 2022 deployed ransomware.
For initial access, the attackers relied on search engine optimization (SEO) poisoning, adding blog posts to a compromised legitimate WordPress website.
The GootLoader-infected blogs featured legal keywords to attract law firm employees and to increase their rankings in search results.
Visitors were directed to a fake forum page encouraging them to download an alleged agreement template or contract template, but were served the GootLoader malware instead.
“The increased absence of ransomware being deployed in these attacks, while maintaining success in infecting legal firms, and a willingness to engage in hands-on intrusions, suggests the possibility that the GootLoader operations have shifted to not only supporting financially-motivated attacks but also supporting politically-motivated and cyber espionage operations,” eSentire researcher Keegan Keplinger says.
As part of the second campaign, the attackers targeted law firm employees and other business professionals with the SocGholish malware, which is also known as FakeUpdates.
Typically used by initial access brokers, SocGholish allows attackers to perform reconnaissance and deploy additional payloads, including Cobalt Strike. Recently, the malware was also seen deploying the LockBit ransomware.
The observed attacks relied on poisoned domains, including the hijacked website of a business offering notary public services in Miami. The compromised website displayed a pop-up notification informing visitors they should update the Chrome browser, but serving the SocGholish malware instead.
“By infecting a large number of lower traffic sites, SocGholish operators capture the occasional high-value victim website from their infections. For example, the Notary Public website was frequented by legal firms. These visitors are considered high value,” eSentire notes.
Related: Recent GootLoader Campaign Targets Law, Accounting Firms
Related: A Deep Dive Into the Growing GootLoader Threat
Related: Over 250 US News Websites Deliver Malware via Supply Chain Attack