What We Do
How We Do
Get Started

Hackers Attack Employees from Six Law Firms​ ​with the GootLoader and SocGholish Malware ​Using Fake Legal Agreements and Malicious Watering Hole​s, reports eSentire

BY eSentire Threat Response Unit (TRU)

February 28, 2023 | 7 MINS READ


Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?


eSentire, a leading global provider of cybersecurity solutions, shut down 10 cyberattacks hitting six different law firms throughout January and February of 2023. The attacks emanated from two separate threat campaigns. One campaign attempted to infect law firm employees with the GootLoader malware. The other campaign hit law firm employees and other victims with the SocGholish malware.

These campaigns present a heightened threat given how quickly they can transition to the intrusion phase of a cyberattack. Since 2022, eSentire’s Threat Response Unit (TRU) has observed SocGholish dropping the Cobalt Strike intrusion framework within 10 minutes, while GootLoader has been observed dropping IcedID (a banking-trojan-turned-loader) and escalating to hands-on intrusions by the threat actors.

GootLoader Tries to Get the Goods on Law Firms

GootLoader is a popular malware that gives threat actors initial access to the victim’s IT environment. Once on the victim’s computer, GootLoader has been known to download the GootKit Remote Access Trojan (RAT), the REvil ransomware, or Cobalt Strike, a popular tool used to gain a foothold in the target’s environment and expand throughout the target’s network.

Throughout 2022, while GootLoader infections have continued to escalate to hands-on intrusions, no ransomware has been observed even when intruders are allowed nearly free reign. In those cases, only Collection was observed. Given GootLoader’s primary target is law firms, TRU acknowledges the possibility that GootLoader has shifted to espionage and exfiltration operations. To achieve initial access, as in previous GootLoader campaigns, the threat actors used Search Engine Optimization (SEO) poisoning to lure and infect the victims with the GootLoader malware.

In this campaign, the cybercriminals compromised legitimate (but vulnerable) WordPress websites and unbeknownst to the website owners, added new blog posts to the sites. Titles which were effective at tricking legal firm employees included “a verbal agreement between a buyer and seller of real estate is considered“ (Figure 1) and "professional firefighters association collective agreement."

Figure 1: A GootLoader campaign where threat actors have hijacked a website and populated it with a blog speaking about the legality of a verbal agreement between a buyer and seller of real estate.

While the term “agreement” is the commonly observed keyword in titles, GootLoader catches legal employees with other legal language too, such as “contract salary calculator.” Gootloader uses legal titles in such a way that when a business professional searches on the Internet for specific contracts or agreements, there is little SEO competition for the collection of words used together, thus GootLoader-infected blogs often rise to the top five search results. Once the legal employee clicks on the link, they’re presented with a fake forum page providing an alleged agreement template or contract template (Figure 2).

When the employee downloads and executes the document, they are actually downloading and executing the GootLoader malware. TRU responded to multiple incidents involving several law firm customers and, in all cases, the victims searched for document templates. Interestingly, law firm employees were also the target of two previous GootLoader campaigns detected by TRU, one in January 2022 and a second in June 2022.

Figure 2: Results of a SEO Poisoning GootLoader campaign where the words “contract salary calculator Ontario” is populated on countless pages within a legitimate website. When a business professional looks for a sample of this via a Google Search, the search results will return this compromised website at the top of the search and this website will serve the initial payload.

SocGholish Becomes a Fan of Watering Holes

A second attack campaign in January attempted to infect law firm employees and other business professionals with the SocGholish malware. SocGholish is a loader type malware that can perform reconnaissance activity and deploy secondary payloads including Cobalt Strike. Threat actors using SocGholish typically function as initial access brokers and other threat actors can leverage this service to gain entry into victim organizations. Recently, the Lockbit ransomware operation has been observed using SocGholish.

In August 2022, TRU saw a significant increase in attacks using SocGholish and now they are seeing another round of attacks using the malware. In this campaign, the threat actors are poisoning websites en masse and using them as watering holes to attract their victims. TRU discovered that the threat actors hijacked the website of a business that provides Notary Public services in the metropolitan area of Miami, Florida. Notary Public services are used for general financial transactions, estates, deeds, powers-of-attorney, and foreign and international business.

The threat actors compromised the Notary Public’s website so that when visitors came to the website an official-looking message pops up telling the visitor to update their Chrome Browser (See Figure 3). However, when the visitor goes to update their browser, they are actually downloading the SocGholish malware. The threat actors most likely took control of the website, possibly via a WordPress vulnerability, and added a page with the fake Chrome Browser alert so that when one visited the home page of the Notary Public business, they were redirected to the Chrome Browser update page.

By infecting a large number of lower traffic sites, SocGholish operators capture the occasional high-value victim website from their infections. For example, the Notary Public website was frequented by legal firms. These visitors are considered high value, as opposed to those on the web looking for a recipe for barbecue, for example.

Figure 3: Visitors to the Notary Public website, located in the Miami area, received this fake Chrome browser update. If they chose to download the fake browser update, they were actually downloading the SocGholish malware onto their computer.

Comments from Keegan Keplinger, Senior Threat Intelligence Researcher with TRU, regarding current GootLoader and SocGholish threat campaigns

"Prior to 2021, email was the primary infection vector used by opportunistic threat actors. From 2021 to 2023, browser-based attacks like the ones we are currently seeing, have steadily been growing to compete with email as the primary infection vector. This has been largely thanks to GootLoader, SocGholish, Solarmarker, and recent campaigns leveraging Google Ads to float top search results."

"TRU observed that the GootLoader attacks in 2022 and those in January and February are not leading to Ransomware malware, which is curious. The increased absence of Ransomware being deployed in these attacks, while maintaining success in infecting legal firms, and a willingness to engage in hands-on intrusions, suggests the possibility that the GootLoader operations have shifted to not only supporting financially-motivated attacks but also supporting politically-motivated and cyber espionage operations."

"GootLoader used to be exclusively associated with the GootKit banking trojan. When we first observed it diversifying its payloads in 2021, it was still using typical Internet lures like "download" – a keyword that ensnares private and business users alike. However, throughout 2022 and 2023, GootLoader has nearly exclusively leveraged legal language in their lures."

Recommendations from TRU on How to Protect Against GootLoader and SocGholish Malware Attacks

Protecting against browser-based threats means intercepting User Execution – when employees unknowingly download and execute malware from the internet.

Key Recommendations

General Recommendations

If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.

eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire