Hackers Attack Employees from Six Law Firms​ ​with the GootLoader and SocGholish Malware ​Using Fake Legal Agreements and Malicious Watering Hole​s, reports eSentire

eSentire, a leading global provider of cybersecurity solutions, shut down 10 cyberattacks hitting six different law firms throughout January and February of 2023. The attacks emanated from two separate threat campaigns. One campaign attempted to infect law firm employees with the GootLoader malware. The other campaign hit law firm employees and other victims with the SocGholish malware.

These campaigns present a heightened threat given how quickly they can transition to the intrusion phase of a cyberattack. Since 2022, eSentire’s Threat Response Unit (TRU) has observed SocGholish dropping the Cobalt Strike intrusion framework within 10 minutes, while GootLoader has been observed dropping IcedID (a banking-trojan-turned-loader) and escalating to hands-on intrusions by the threat actors.

GootLoader Tries to Get the Goods on Law Firms

GootLoader is a popular malware that gives threat actors initial access to the victim’s IT environment. Once on the victim’s computer, GootLoader has been known to download the GootKit Remote Access Trojan (RAT), the REvil ransomware, or Cobalt Strike, a popular tool used to gain a foothold in the target’s environment and expand throughout the target’s network.

Throughout 2022, while GootLoader infections have continued to escalate to hands-on intrusions, no ransomware has been observed even when intruders are allowed nearly free reign. In those cases, only Collection was observed. Given GootLoader’s primary target is law firms, TRU acknowledges the possibility that GootLoader has shifted to espionage and exfiltration operations. To achieve initial access, as in previous GootLoader campaigns, the threat actors used Search Engine Optimization (SEO) poisoning to lure and infect the victims with the GootLoader malware.

In this campaign, the cybercriminals compromised legitimate (but vulnerable) WordPress websites and unbeknownst to the website owners, added new blog posts to the sites. Titles which were effective at tricking legal firm employees included “a verbal agreement between a buyer and seller of real estate is considered“ (Figure 1) and "professional firefighters association collective agreement."

While the term “agreement” is the commonly observed keyword in titles, GootLoader catches legal employees with other legal language too, such as “contract salary calculator.” Gootloader uses legal titles in such a way that when a business professional searches on the Internet for specific contracts or agreements, there is little SEO competition for the collection of words used together, thus GootLoader-infected blogs often rise to the top five search results. Once the legal employee clicks on the link, they’re presented with a fake forum page providing an alleged agreement template or contract template (Figure 2).

When the employee downloads and executes the document, they are actually downloading and executing the GootLoader malware. TRU responded to multiple incidents involving several law firm customers and, in all cases, the victims searched for document templates. Interestingly, law firm employees were also the target of two previous GootLoader campaigns detected by TRU, one in January 2022 and a second in June 2022.

SocGholish Becomes a Fan of Watering Holes

A second attack campaign in January attempted to infect law firm employees and other business professionals with the SocGholish malware. SocGholish is a loader type malware that can perform reconnaissance activity and deploy secondary payloads including Cobalt Strike. Threat actors using SocGholish typically function as initial access brokers and other threat actors can leverage this service to gain entry into victim organizations. Recently, the Lockbit ransomware operation has been observed using SocGholish.

In August 2022, TRU saw a significant increase in attacks using SocGholish and now they are seeing another round of attacks using the malware. In this campaign, the threat actors are poisoning websites en masse and using them as watering holes to attract their victims. TRU discovered that the threat actors hijacked the website of a business that provides Notary Public services in the metropolitan area of Miami, Florida. Notary Public services are used for general financial transactions, estates, deeds, powers-of-attorney, and foreign and international business.

The threat actors compromised the Notary Public’s website so that when visitors came to the website an official-looking message pops up telling the visitor to update their Chrome Browser (See Figure 3). However, when the visitor goes to update their browser, they are actually downloading the SocGholish malware. The threat actors most likely took control of the website, possibly via a WordPress vulnerability, and added a page with the fake Chrome Browser alert so that when one visited the home page of the Notary Public business, they were redirected to the Chrome Browser update page.

By infecting a large number of lower traffic sites, SocGholish operators capture the occasional high-value victim website from their infections. For example, the Notary Public website was frequented by legal firms. These visitors are considered high value, as opposed to those on the web looking for a recipe for barbecue, for example.

Comments from Keegan Keplinger, Senior Threat Intelligence Researcher with TRU, regarding current GootLoader and SocGholish threat campaigns

"Prior to 2021, email was the primary infection vector used by opportunistic threat actors. From 2021 to 2023, browser-based attacks like the ones we are currently seeing, have steadily been growing to compete with email as the primary infection vector. This has been largely thanks to GootLoader, SocGholish, Solarmarker, and recent campaigns leveraging Google Ads to float top search results."

"TRU observed that the GootLoader attacks in 2022 and those in January and February are not leading to Ransomware malware, which is curious. The increased absence of Ransomware being deployed in these attacks, while maintaining success in infecting legal firms, and a willingness to engage in hands-on intrusions, suggests the possibility that the GootLoader operations have shifted to not only supporting financially-motivated attacks but also supporting politically-motivated and cyber espionage operations."

"GootLoader used to be exclusively associated with the GootKit banking trojan. When we first observed it diversifying its payloads in 2021, it was still using typical Internet lures like "download" – a keyword that ensnares private and business users alike. However, throughout 2022 and 2023, GootLoader has nearly exclusively leveraged legal language in their lures."

Recommendations from TRU on How to Protect Against GootLoader and SocGholish Malware Attacks

Protecting against browser-based threats means intercepting User Execution – when employees unknowingly download and execute malware from the internet.

Key Recommendations

• SocGholish: You should never have to download a file to update Chrome. You can update Chrome by clicking the three dots in the upper right corner, then clicking Settings, then clicking About Chrome (bottom of navigation bar on the left). On that screen, you will see an interface for assessing the current chrome version and updating it.
• GootLoader: Don’t trust documents posted on random forums. Have a process for employees to download documents from trusted sources only.

General Recommendations

• Display file extensions for known file types.
• Make sure you trust document sources. Even legitimate Word and Excel documents from the Internet can lead to malware.
• Use Windows Attack Surface Reduction rules to block JavaScript and VBScript from launching downloaded content. Read more on Microsoft Docs.
• Employ an Endpoint Detection and Response (EDR) tool to detect and isolate threats before they spread laterally.
• Phishing and security awareness training should be mandated for all company employees. The training should focus on the following topics:
  • The downloading and execution of files from unverified sources.
  • Process for reporting potential security incidents.
  • Educate users about safe Internet browsing habits.
  • Avoid free versions of paid software.
  • Inspect the full URL before downloading files to ensure it matches the source (e.g., Microsoft Teams should come from a Microsoft domain).
  • Always inspect the extension of files, do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.
  • Employees need to report security threats without fear of repercussion, even if caused accidentally.

If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.