Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
eSentire, a leading global provider of cybersecurity solutions, shut down 10 cyberattacks hitting six different law firms throughout January and February of 2023. The attacks emanated from two separate threat campaigns. One campaign attempted to infect law firm employees with the GootLoader malware. The other campaign hit law firm employees and other victims with the SocGholish malware.
These campaigns present a heightened threat given how quickly they can transition to the intrusion phase of a cyberattack. Since 2022, eSentire’s Threat Response Unit (TRU) has observed SocGholish dropping the Cobalt Strike intrusion framework within 10 minutes, while GootLoader has been observed dropping IcedID (a banking-trojan-turned-loader) and escalating to hands-on intrusions by the threat actors.
GootLoader is a popular malware that gives threat actors initial access to the victim’s IT environment. Once on the victim’s computer, GootLoader has been known to download the GootKit Remote Access Trojan (RAT), the REvil ransomware, or Cobalt Strike, a popular tool used to gain a foothold in the target’s environment and expand throughout the target’s network.
Throughout 2022, while GootLoader infections have continued to escalate to hands-on intrusions, no ransomware has been observed even when intruders are allowed nearly free reign. In those cases, only Collection was observed. Given GootLoader’s primary target is law firms, TRU acknowledges the possibility that GootLoader has shifted to espionage and exfiltration operations. To achieve initial access, as in previous GootLoader campaigns, the threat actors used Search Engine Optimization (SEO) poisoning to lure and infect the victims with the GootLoader malware.
In this campaign, the cybercriminals compromised legitimate (but vulnerable) WordPress websites and unbeknownst to the website owners, added new blog posts to the sites. Titles which were effective at tricking legal firm employees included “a verbal agreement between a buyer and seller of real estate is considered“ (Figure 1) and "professional firefighters association collective agreement."
While the term “agreement” is the commonly observed keyword in titles, GootLoader catches legal employees with other legal language too, such as “contract salary calculator.” Gootloader uses legal titles in such a way that when a business professional searches on the Internet for specific contracts or agreements, there is little SEO competition for the collection of words used together, thus GootLoader-infected blogs often rise to the top five search results. Once the legal employee clicks on the link, they’re presented with a fake forum page providing an alleged agreement template or contract template (Figure 2).
When the employee downloads and executes the document, they are actually downloading and executing the GootLoader malware. TRU responded to multiple incidents involving several law firm customers and, in all cases, the victims searched for document templates. Interestingly, law firm employees were also the target of two previous GootLoader campaigns detected by TRU, one in January 2022 and a second in June 2022.
A second attack campaign in January attempted to infect law firm employees and other business professionals with the SocGholish malware. SocGholish is a loader type malware that can perform reconnaissance activity and deploy secondary payloads including Cobalt Strike. Threat actors using SocGholish typically function as initial access brokers and other threat actors can leverage this service to gain entry into victim organizations. Recently, the Lockbit ransomware operation has been observed using SocGholish.
In August 2022, TRU saw a significant increase in attacks using SocGholish and now they are seeing another round of attacks using the malware. In this campaign, the threat actors are poisoning websites en masse and using them as watering holes to attract their victims. TRU discovered that the threat actors hijacked the website of a business that provides Notary Public services in the metropolitan area of Miami, Florida. Notary Public services are used for general financial transactions, estates, deeds, powers-of-attorney, and foreign and international business.
The threat actors compromised the Notary Public’s website so that when visitors came to the website an official-looking message pops up telling the visitor to update their Chrome Browser (See Figure 3). However, when the visitor goes to update their browser, they are actually downloading the SocGholish malware. The threat actors most likely took control of the website, possibly via a WordPress vulnerability, and added a page with the fake Chrome Browser alert so that when one visited the home page of the Notary Public business, they were redirected to the Chrome Browser update page.
By infecting a large number of lower traffic sites, SocGholish operators capture the occasional high-value victim website from their infections. For example, the Notary Public website was frequented by legal firms. These visitors are considered high value, as opposed to those on the web looking for a recipe for barbecue, for example.
"Prior to 2021, email was the primary infection vector used by opportunistic threat actors. From 2021 to 2023, browser-based attacks like the ones we are currently seeing, have steadily been growing to compete with email as the primary infection vector. This has been largely thanks to GootLoader, SocGholish, Solarmarker, and recent campaigns leveraging Google Ads to float top search results."
"TRU observed that the GootLoader attacks in 2022 and those in January and February are not leading to Ransomware malware, which is curious. The increased absence of Ransomware being deployed in these attacks, while maintaining success in infecting legal firms, and a willingness to engage in hands-on intrusions, suggests the possibility that the GootLoader operations have shifted to not only supporting financially-motivated attacks but also supporting politically-motivated and cyber espionage operations."
"GootLoader used to be exclusively associated with the GootKit banking trojan. When we first observed it diversifying its payloads in 2021, it was still using typical Internet lures like "download" – a keyword that ensnares private and business users alike. However, throughout 2022 and 2023, GootLoader has nearly exclusively leveraged legal language in their lures."
Protecting against browser-based threats means intercepting User Execution – when employees unknowingly download and execute malware from the internet.
If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.