At the beginning of 2023, six different law firms became targets for attacks within two disparate malicious campaigns. In their attacks, attackers used Gootloader and Fakeupdates programs (also known as Socgholish).
Gootloader, active since the end of 2020, is a first stage bootloader that can deliver a wide range of secondary benefits, such as Cobalt Strike and various reproach programs. For his work, he uses the “Seo Poisoning” method to direct the victims looking for documents related to business to phishing sites with malicious according to JavaScript.
In the harmful campaign, Details described in detail Esentire, it is said that the attackers hacked the legitimate but vulnerable website based on WordPress and added to the forums New messages, thematically interested in potential victims. Of course, these messages contained harmful links.
“When the user switches to one of the harmful web pages and presses the link to load the proposed business agreement, he unconsciously loads Gootloader,” said Kigan Keplinger, researcher Esentire.
The image below shows how an attacker at one of the foreign forums left 3 messages from different accounts: a request to recommend a financial tool for calculating salaries, a response with a malicious link and gratitude with confirmation of the tools. When a dialogue of this kind sees a person interested in the same financial tool, he turns off the vigilance and voluntarily uploads a malicious file to his computer.
However, Gootloader is far from the only malicious JavaScript program aimed at business segment and law firms. Separate harmful campaigns use another malware – Fakeupdates (Socgholish). It allows you to “discard” in the target system more executable files, and the “Watering Hole” method is often used to distribute it.
“Until 2021, phishing through e -mail was the main vector of infection used by attackers. But browser attacks have shown significant growth in recent years and have now fully competed with e -mail as the main vector of infection. In many ways, this has happened thanks to Gootloader, Socgholish, Solarmarker and recent campaigns using Google ADS to accommodate the search results in the top, ”said Esentire researcher.