Cybercriminals Targeting Law Firms With GootLoader and FakeUpdates

The following article was originally published on The Hacker News on March 1st, 2023, and discusses the recent targeting of law firms by cybercriminals using GootLoader and FakeUpdates malware.

Six law firms have fallen victim to two separate cyber threats, which utilized GootLoader and FakeUpdates (also known as SocGholish) malware, between January and February of 2023.

GootLoader, which has been active since late 2020, serves as a first-stage downloader that can deliver secondary payloads such as ransomware and Cobalt Strike.

The malware utilizes search engine optimization (SEO) poisoning to redirect individuals searching for business-related documents towards malicious websites that then drop the JavaScript malware.

Cybersecurity company eSentire reported on one of the campaigns, stating that the attackers compromised legitimate but vulnerable WordPress websites and added new blog posts without the owners’ knowledge.

“When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader,” explained eSentire researcher Keegan Keplinger in January 2022.

GootLoader is not the only JavaScript malware targeting law firms and business professionals, as SocGholish has also been used in a separate wave of attacks capable of delivering additional executables.

One of the campaigns stood out for using a website frequented by legal firms as a watering hole to distribute the malware, making it a noteworthy infection chain.

The cybercriminals behind these attacks have also demonstrated a preference for hands-on activity instead of deploying ransomware, indicating that they may have expanded their focus to include espionage operations.

According to Keplinger, “Prior to 2021, email was the primary infection vector used by opportunistic threat actors. From 2021 to 2023, browser-based attacks […] have steadily been growing to compete with email as the primary infection vector,” thanks in part to GootLoader, SocGholish, SolarMarker, and recent campaigns leveraging Google Ads to float top search results.

(Original article source:



, ,