Several Law Firms Targeted in Malware Attacks

Share This Post

In January and February 2023, six law firms were targeted with the GootLoader and SocGholish malware in two separate campaigns, cybersecurity firm eSentire reports.

Targeting law firm employees, the first campaign aimed to infect victims’ devices with GootLoader, a malware family known for downloading the GootKit remote access trojan (RAT), REvil ransomware, or the Cobalt Strike implant.

According to eSentire, the attacks appear focused on espionage and exfiltration activities, given that none of the observed GootLoader infections in 2022 deployed ransomware.

For initial access, the attackers relied on search engine optimization (SEO) poisoning, adding blog posts to a compromised legitimate WordPress website.

The GootLoader-infected blogs featured legal keywords to attract law firm employees and to increase their rankings in search results.

Visitors were directed to a fake forum page encouraging them to download an alleged agreement template or contract template, but were served the GootLoader malware instead.

“The increased absence of ransomware being deployed in these attacks, while maintaining success in infecting legal firms, and a willingness to engage in hands-on intrusions, suggests the possibility that the GootLoader operations have shifted to not only supporting financially-motivated attacks but also supporting politically-motivated and cyber espionage operations,” eSentire researcher Keegan Keplinger says.

As part of the second campaign, the attackers targeted law firm employees and other business professionals with the SocGholish malware, which is also known as FakeUpdates.

Typically used by initial access brokers, SocGholish allows attackers to perform reconnaissance and deploy additional payloads, including Cobalt Strike. Recently, the malware was also seen deploying the LockBit ransomware.

The observed attacks relied on poisoned domains, including the hijacked website of a business offering notary public services in Miami. The compromised website displayed a pop-up notification informing visitors they should update the Chrome browser, but serving the SocGholish malware instead.

“By infecting a large number of lower traffic sites, SocGholish operators capture the occasional high-value victim website from their infections. For example, the Notary Public website was frequented by legal firms. These visitors are considered high value,” eSentire notes.

Related: Recent GootLoader Campaign Targets Law, Accounting Firms

Related: A Deep Dive Into the Growing GootLoader Threat

Related:Over 250 US News Websites Deliver Malware via Supply Chain Attack

SecurityWeek RSS Feed

Read More

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.
Article

BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .