eSentire researchers have stopped 10 cyberattacks on six different law firms during January and February 2023. The attacks were part of two separate campaigns that aimed to distribute GootLoader and FakeUpdates (SocGholish) malware.
GootLoader runs on an access-as-a-service model and is used by different groups to drop additional malicious payloads on compromised systems. In the past, GootLoader has distributed malware disguised as freeware installers and legal documents to trick users into downloading files.
The first campaign involved black SEO techniques to display a website compromised by GootLoader operators among the search engine results for users looking for specific information.
Victims were then directed to a fake online forum that hosted a ZIP archive containing a malicious .js file, which established persistence and dropped a Cobalt Strike binary in the memory of the infected system.
The second campaign saw threat actors compromise legitimate WordPress websites to add new blog posts containing links to download a purported business agreement. However, users actually downloaded GootLoader.
In the second campaign, attackers attempted to infect law firm employees and other business professionals with SocGholish malware. SocGholish is a JavaScript framework that acts as a loader for other malware campaigns, most commonly Cobalt Strike payloads.
In the campaign blocked by researchers, threat actors conducted a watering hole attack by compromising a Notary Public’s website frequently visited by legal firms to distribute the malware. Law firms and other organizations should be aware of these tactics and take proactive measures to protect their systems from these threats.
