HQ/EMEAFind out how we can help your business
Threat actors have already targeted about six law firms between January and February 2023 as a part of cybercriminal operations that use GootLoader and FakeUpdates malware.
The GootLoader malware strain has been active since 2020. This malware is a first-stage downloader that can deliver various secondary payloads such as ransomware and Cobalt Strike.
In addition, it adopts search engine optimisation (SEO) poisoning tactics to funnel victims that searches for business-related documents toward drive-by download websites that launch the JavaScript payload.
The GootLoader and FakeUpdates operators have compromised different online entities.
According to investigations, GootLoader and FakeUpdates malware operators have infected legitimate but flawed WordPress websites. These campaigns allowed them to add new blog posts without the site admin’s authorisation.
The researchers explained that once a computer user navigates to one of these compromised web pages and clicks the link to download the business agreement, they will initiate the download sequence for GootLoader.
These attacks against law firms are the Gootkit malware operators’ newest campaigns in their recent data breach attacks. Moreover, the GootLoader malware is the only JS-based payload campaign that actively targets law firm personnel and business professionals.
However, a separate campaign uses the SocGholish (FakeUpdates) malware to infect a similar branch of the government. The researchers noted that FakeUpdates is also a downloader malware that could drop additional executables.
The infection process in this attack is more significant since it exploits a website frequently used by targeted law firms. They use these websites as a watering hole to spread the malware masquerading as fake browser updates.
The FakeUpdates malware operation does not include ransomware deployment. Instead, it favours hands-on activity, implying that the attackers could have diversified in the threat landscape to employ espionage operations.
Cybersecurity experts revealed that emails were the primary infection vector utilised by these miscreants before 2021. However, things have changed as more threat actors have changed their infection tactics.
These changes started when the GootLoader, SocGholish, and SolarMarker operators leveraged Google Ads to distribute their malware.
