In January and February 2023, six law firms were targeted with the GootLoader and SocGholish malware in two separate campaigns, according to cybersecurity firm eSentire. The first campaign attempted to infect victims’ devices with GootLoader, a malware family known for downloading the GootKit remote access trojan (RAT), REvil ransomware, or the Cobalt Strike implant. The attackers used search engine optimization (SEO) poisoning to infect victims, adding blog posts to a compromised legitimate WordPress website with legal keywords in order to draw in law firm employees. Whenever victims attempted to download an agreement or contract template, they were instead served the GootLoader malware.
As part of the second campaign, the attackers targeted law firm employees and other business professionals with the SocGholish malware, also known as FakeUpdates. This malware was used to perform reconnaissance and deploy additional payloads, including the LockBit ransomware. The attacks relied on poisoned domains, including the hijacked website of a business offering notary public services in Miami. The compromised website displayed a pop-up notification informing visitors they should update the Chrome browser, but instead served the SocGholish malware.
These attacks demonstrate a shift from financially-motivated ransomware deployment to espionage and exfiltration activities. The attackers were willing to engage in hands-on intrusions and took advantage of high-value victims, such as visitors to the Notary Public website, to increase their chances of success.
In conclusion, the two cyber campaigns targeting law firms in 2023 demonstrate a shift from financially-motivated ransomware deployment to espionage and exfiltration activities. The attackers used SEO poisoning and a hijacked Notary Public website to infect victims, relying on the GootLoader and SocGholish malware to perform reconnaissance and deploy additional payloads.
Key Points:
• In January and February 2023, six law firms were targeted with the GootLoader and SocGholish malware in two separate campaigns.
• The first campaign attempted to infect victims’ devices with GootLoader, while the second campaign targeted law firm employees with the SocGholish malware.
• These attacks demonstrate a shift from financially-motivated ransomware deployment to espionage and exfiltration activities.
• The attackers used SEO poisoning and a hijacked Notary Public website to infect victims, relying on the GootLoader and SocGholish malware to perform reconnaissance and deploy additional payloads.