Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Hackers Attack Employees from Six Law Firms with the GootLoader and SocGholish Malware Using Fake Legal Agreements and Malicious Watering Holes, reports eSentire
BY eSentire Threat Response Unit (TRU)
February 28, 2023 | 7 MINS READ
Attacks/Breaches
Threat Intelligence
Threat Response Unit
TRU Positive/Bulletin
Want to learn more on how to achieve Cyber Resilience?
eSentire, a leading global provider of cybersecurity solutions, shut down 10 cyberattacks hitting six different law firms throughout January and February of 2023. The attacks emanated from two separate threat campaigns. One campaign attempted to infect law firm employees with the GootLoader malware. The other campaign hit law firm employees and other victims with the SocGholish malware.
These campaigns present a heightened threat given how quickly they can transition to the intrusion phase of a cyberattack. Since 2022, eSentire’s Threat Response Unit (TRU) has observed SocGholish dropping the Cobalt Strike intrusion framework within 10 minutes, while GootLoader has been observed dropping IcedID (a banking-trojan-turned-loader) and escalating to hands-on intrusions by the threat actors.
GootLoader Tries to Get the Goods on Law Firms
GootLoader is a popular malware that gives threat actors initial access to the victim’s IT environment. Once on the victim’s computer, GootLoader has been known to download the GootKit Remote Access Trojan (RAT), the REvil ransomware, or Cobalt Strike, a popular tool used to gain a foothold in the target’s environment and expand throughout the target’s network.
Throughout 2022, while GootLoader infections have continued to escalate to hands-on intrusions, no ransomware has been observed even when intruders are allowed nearly free reign. In those cases, only Collection was observed. Given GootLoader’s primary target is law firms, TRU acknowledges the possibility that GootLoader has shifted to espionage and exfiltration operations. To achieve initial access, as in previous GootLoader campaigns, the threat actors used Search Engine Optimization (SEO) poisoning to lure and infect the victims with the GootLoader malware.
In this campaign, the cybercriminals compromised legitimate (but vulnerable) WordPress websites and unbeknownst to the website owners, added new blog posts to the sites. Titles which were effective at tricking legal firm employees included “a verbal agreement between a buyer and seller of real estate is considered“ (Figure 1) and "professional firefighters association collective agreement."
Figure 1: A GootLoader campaign where threat actors have hijacked a website and populated it with a blog speaking about the legality of a verbal agreement between a buyer and seller of real estate.
While the term “agreement” is the commonly observed keyword in titles, GootLoader catches legal employees with other legal language too, such as “contract salary calculator.” Gootloader uses legal titles in such a way that when a business professional searches on the Internet for specific contracts or agreements, there is little SEO competition for the collection of words used together, thus GootLoader-infected blogs often rise to the top five search results. Once the legal employee clicks on the link, they’re presented with a fake forum page providing an alleged agreement template or contract template (Figure 2).
When the employee downloads and executes the document, they are actually downloading and executing the GootLoader malware. TRU responded to multiple incidents involving several law firm customers and, in all cases, the victims searched for document templates. Interestingly, law firm employees were also the target of two previous GootLoader campaigns detected by TRU, one in January 2022 and a second in June 2022.
Figure 2: Results of a SEO Poisoning GootLoader campaign where the words “contract salary calculator Ontario” is populated on countless pages within a legitimate website. When a business professional looks for a sample of this via a Google Search, the search results will return this compromised website at the top of the search and this website will serve the initial payload.
SocGholish Becomes a Fan of Watering Holes
A second attack campaign in January attempted to infect law firm employees and other business professionals with the SocGholish malware. SocGholish is a loader type malware that can perform reconnaissance activity and deploy secondary payloads including Cobalt Strike. Threat actors using SocGholish typically function as initial access brokers and other threat actors can leverage this service to gain entry into victim organizations. Recently, the Lockbit ransomware operation has been observed using SocGholish.
In August 2022, TRU saw a significant increase in attacks using SocGholish and now they are seeing another round of attacks using the malware. In this campaign, the threat actors are poisoning websites en masse and using them as watering holes to attract their victims. TRU discovered that the threat actors hijacked the website of a business that provides Notary Public services in the metropolitan area of Miami, Florida. Notary Public services are used for general financial transactions, estates, deeds, powers-of-attorney, and foreign and international business.
The threat actors compromised the Notary Public’s website so that when visitors came to the website an official-looking message pops up telling the visitor to update their Chrome Browser (See Figure 3). However, when the visitor goes to update their browser, they are actually downloading the SocGholish malware. The threat actors most likely took control of the website, possibly via a WordPress vulnerability, and added a page with the fake Chrome Browser alert so that when one visited the home page of the Notary Public business, they were redirected to the Chrome Browser update page.
By infecting a large number of lower traffic sites, SocGholish operators capture the occasional high-value victim website from their infections. For example, the Notary Public website was frequented by legal firms. These visitors are considered high value, as opposed to those on the web looking for a recipe for barbecue, for example.
Figure 3: Visitors to the Notary Public website, located in the Miami area, received this fake Chrome browser update. If they chose to download the fake browser update, they were actually downloading the SocGholish malware onto their computer.
Comments from Keegan Keplinger, Senior Threat Intelligence Researcher with TRU, regarding current GootLoader and SocGholish threat campaigns
"Prior to 2021, email was the primary infection vector used by opportunistic threat actors. From 2021 to 2023, browser-based attacks like the ones we are currently seeing, have steadily been growing to compete with email as the primary infection vector. This has been largely thanks to GootLoader, SocGholish, Solarmarker, and recent campaigns leveraging Google Ads to float top search results."
"TRU observed that the GootLoader attacks in 2022 and those in January and February are not leading to Ransomware malware, which is curious. The increased absence of Ransomware being deployed in these attacks, while maintaining success in infecting legal firms, and a willingness to engage in hands-on intrusions, suggests the possibility that the GootLoader operations have shifted to not only supporting financially-motivated attacks but also supporting politically-motivated and cyber espionage operations."
"GootLoader used to be exclusively associated with the GootKit banking trojan. When we first observed it diversifying its payloads in 2021, it was still using typical Internet lures like "download" – a keyword that ensnares private and business users alike. However, throughout 2022 and 2023, GootLoader has nearly exclusively leveraged legal language in their lures."
Recommendations from TRU on How to Protect Against GootLoader and SocGholish Malware Attacks
Protecting against browser-based threats means intercepting User Execution – when employees unknowingly download and execute malware from the internet.
Key Recommendations
SocGholish: You should never have to download a file to update Chrome. You can update Chrome by clicking the three dots in the upper right corner, then clicking Settings, then clicking About Chrome (bottom of navigation bar on the left). On that screen, you will see an interface for assessing the current chrome version and updating it.
GootLoader: Don’t trust documents posted on random forums. Have a process for employees to download documents from trusted sources only.
The downloading and execution of files from unverified sources.
Process for reporting potential security incidents.
Educate users about safe Internet browsing habits.
Avoid free versions of paid software.
Inspect the full URL before downloading files to ensure it matches the source (e.g., Microsoft Teams should come from a Microsoft domain).
Always inspect the extension of files, do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.
Employees need to report security threats without fear of repercussion, even if caused accidentally.
If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.
eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
