Heimdal
article featured image

Contents:

Two separate threat campaigns targeted six different law firms in January and February 2023, distributing GootLoader and FakeUpdates, also known as SocGholish malware.

GootLoader is a first-stage downloader capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware and has been active since late 2020. To funnel victims searching for business-related documents to drive-by download sites that drop JavaScript malware, it utilizes search engine optimization (SEO) poisoning.

The cybersecurity company eSentire has published a report detailing the campaign. The threat actors are said to have compromised legitimate, yet vulnerable, WordPress websites and added new blog posts without the owners’ knowledge. This campaign is the latest in a wave of attacks that have deployed the Gootkit malware loader to breach targets.

A second set of attacks also entailed the use of SocGholish, which is a downloader capable of dropping further executables.

A second attack campaign in January attempted to infect law firm employees and other business professionals with the SocGholish malware.

Source

The infection chain takes advantage of a website frequented by legal firms as a watering hole for spreading malware under the guise of fake browser updates.

An interesting aspect of the twin intrusion sets, as THN also observes, is the absence of ransomware deployment, instead favoring hands-on activity, suggesting that the attacks could have been espionage operations in scope.

Prior to 2021, email was the primary infection vector used by opportunistic threat actors. From 2021 to 2023, browser-based attacks like the ones we are currently seeing, have steadily been growing to compete with email as the primary infection vector. This has been largely thanks to GootLoader, SocGholish, Solarmarker, and recent campaigns leveraging Google Ads to float top search results.

Source

The Connection to Law Firms

The Notary Public’s website fell victim to malicious actors, who redirected visitors to a page with a message that appeared to prompt them to update their Chrome Browser.

Malicious Browser Update Prompt

Source

Unfortunately, this update was actually the SocGholish malware. The attack was likely pulled off via a WordPress vulnerability, compromising the website and adding this fake alert to the home page.

By infecting a large number of lower traffic sites, SocGholish operators capture the occasional high-value victim website from their infections. For example, the Notary Public website is well known and used by legal firms, which are considered to be high value.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE