"Several Law Firms Targeted in Malware Attacks"

According to security researchers at eSentire, in January and February 2023, six law firms were targeted with the GootLoader and SocGholish malware in two separate campaigns.  Targeting law firm employees, the first campaign aimed to infect victims’ devices with GootLoader, a malware family known for downloading the GootKit remote access trojan (RAT), REvil ransomware, or the Cobalt Strike implant.  The researchers stated that the attacks appear focused on espionage and exfiltration activities, given that none of the observed GootLoader infections in 2022 deployed ransomware.  The researchers said that for initial access, the attackers relied on search engine optimization (SEO) poisoning, adding blog posts to a compromised legitimate WordPress website.  The researchers noted that the GootLoader-infected blogs featured legal keywords to attract law firm employees and to increase their rankings in search results.  Visitors were directed to a fake forum page encouraging them to download an alleged agreement template or contract template but were served the GootLoader malware instead.  The researchers stated that the increased absence of ransomware being deployed in these attacks while maintaining success in infecting legal firms, and a willingness to engage in hands-on intrusions, suggests the possibility that the GootLoader operations have shifted to not only supporting financially-motivated attacks but also supporting politically-motivated and cyber espionage operations.  As part of the second campaign, the attackers targeted law firm employees and other business professionals with the SocGholish malware, which is also known as FakeUpdates.  Typically used by initial access brokers, SocGholish allows attackers to perform reconnaissance and deploy additional payloads, including Cobalt Strike.  The researchers noted that recently, the malware was also seen deploying the LockBit ransomware.  The observed attacks relied on poisoned domains, including the hijacked website of a business offering notary public services in Miami.  The compromised website displayed a pop-up notification informing visitors they should update the Chrome browser, but instead downloaded SocGholish malware.  The researchers stated that by infecting a large number of lower traffic sites, SocGholish operators capture the occasional high-value victim website from their infections.  For example, the Notary Public website was frequented by legal firms.  These visitors are considered high value.  
 

SecuityWeek reports: "Several Law Firms Targeted in Malware Attacks"