Law firms under attack: Gootloader and Fakeupdates malware on their way

Gootloader and Fakeupdate malware are on the rise in law firms and agencies. Since January 2023, six different firms have made the target.

The attack is based on SEO, poisoning to funnel victims searching for business-related documents toward drive-by download sites that drop the JavaScript malware.

The company name eSentire said: “When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader,” eSentire researcher Keegan Keplinger.

TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish.

In addition to serving as an initial access broker, these additional injects imply TA569 may be running a pay-per-install (PPI) service pic.twitter.com/aXrQcemnIN

— Andrew Northern 𓅓 (@ex_raritas) February 27, 2023

Strike of Gootloader and Fakeupdates(SocGholish) malware

Gootloader is often distributed through phishing emails that contain a link to a malicious website. When users click the link, they are directed to a landing page that appears to be a legitimate website. However, the page contains hidden code that downloads and executes the Gootloader malware on the victim’s computer.

“GootLoader is a stealthy initial access malware, which after getting a foothold into the victim’s computer system, infects the system with ransomware or other lethal malware,” researchers from eSentire.

Once installed, Gootloader can download and install additional malware payloads on the victim’s computer without their knowledge or consent. The malware can also steal sensitive information, such as login credentials and banking information, which can be used for identity theft and financial fraud.

“GootLoader relies heavily on social engineering to establish its foothold, from poisoning Google search results to fashioning the payload,” said Keegan Keplinger, research and reporting lead for eSentire’s Threat Response Unit (TRU).

SocGholish is typically distributed through phishing emails that contain a link to a fake login page. When a user enters their login credentials on the fake page, the malware captures the information and sends it to the attacker. The malware can also download additional payloads, such as keyloggers or remote access trojans, allowing attackers to gain complete control of the infected system.

1/ #socgholish is this you? 👻
➡️https://t.co/Ef0Pqv2lhq > Update.js
➡️Retrieves #NetSupportRAT 🐀 and batch scripts from C2
🖥️C2 IP: 188.127.231[.]11@esthreat pic.twitter.com/okaOsQFulr

— RussianPanda 🐼 🇺🇦 (@RussianPanda9xx) February 9, 2023

Final word

It is important to employ SOPs in organizations to weaken the malware grip. Keep software updated, and use anti-virus and the latest security patches. In particular, to Gootloader and Fakeupdated malware, one should exercise prudence while clicking on suspicious links. Also, it is necessary to open documents from trusted sources and match them with the original ones.