Operators from the GootLoader cyberattack are targeting employees at accounting and law firms in a new wave of massive cyberattacks. This is a sign that the enemy has expanded its reach to high-value targets.
“GootLoader is a stealthy initial access malware, which after getting a foothold into the victim’s computer system, infects the system with ransomware or other lethal malware,” researchers from eSentire said in a report shared with The Hacker News.
The cybersecurity services provider said it intercepted and dismantled intrusions aimed at three law firms and an accounting enterprise. The names of the victims were not disclosed.
Malware may be distributed to targets’ computers via a variety of methods including fake updates and poisoned search results. Also, trojanized software can also be downloaded from websites linking to pirated programs. GootLoader uses the first method.
In March 2021, details emerged of a global drive-by download offensive that involved tricking unsuspecting victims into visiting compromised WordPress websites belonging to legitimate businesses via a technique called search engine poisoning that pushes these sites to the top of the search results.
“Their modus operandi (MO) is to entice a business professional to one of the compromised websites and then have them click on the link, leading to Gootloader, which attempts to retrieve the final payload, whether it be ransomware, a banking trojan or intrusion tool/credential stealer,” the researchers explained in a write-up.
eSentire estimates that over 100,000 malicious webpages were set up last year across websites representing entities in the hotel industry, high-end retail, education, healthcare, music and visual arts, with one of the hacked websites hosting 150 rogue pages designed to social engineer users searching for postnuptial or intellectual property agreements.
The websites, for their part, are broken into by exploiting security vulnerabilities in the WordPress content management system (CMS), effectively permitting the attackers to clandestinely inject the pages of their liking without the website owner’s knowledge.
The nature of GootLoader, and its ability to open backdoors into systems, suggests that it may be used to gather intelligence, but also to deliver additional harmful payloads such as Cobalt Strike or ransomware to systems compromised for subsequent attacks.
“GootLoader heavily relies on social engineering in order to establish itself, including poisoning Google Search Results to creating the payload,” stated Keegan Keplinger (research and reporting lead at eSentire’s Threat Response Unit, TRU).
“GootLoader operators encourage employees to download and execute malware, presenting a template for a free business contract. This is particularly effective against legal firms, who may encounter uncommon requests from clients. “
To mitigate such threats, it’s recommended that organizations put in place a vetting process for business agreement samples, train employees to open documents only from trusted sources, and ensure that the content downloaded matches the content intended to be downloaded.