Operators of the GootLoader campaign set their sights on accounting and law firm employees as part of a widespread cyberattack to deploy malware on infected systems, suggesting adversaries are expanding their focus to other high-value Target.
“GootLoader is a stealthy initial-access malware that, after entering a victim’s computer system, infects the system with ransomware or other lethal malware,” researchers from eSentire Say In a report shared with Hacker News.
The cybersecurity service provider said it blocked and dismantled intrusions targeting three law firms and an accounting firm. The victim’s name was not disclosed.
Malware can spread to a target’s system in a number of ways, including poisoned search results, fake updates, and Trojan applications downloaded from sites that link to pirated software. GootLoader uses the first technique.
Worldwide details to emerge in March 2021 passing download The offensive attack involves tricking unsuspecting victims into visiting compromised WordPress sites belonging to legitimate businesses by pushing these sites to the top of search results through a technique called search engine poisoning.
“Their modus operandi (MO) is to lure business professionals to visit one of the compromised websites and then get them to click on a link that causes the Gootloader to attempt to retrieve the final payload, be it ransomware, banking trojan or intrusion tool/credential stealing ,” the researchers explain in an article.
eSentire estimates that more than 100,000 malicious pages were set up last year on sites representing entities representing the hospitality industry, high-end retail, education, healthcare, music and visual arts, with one hacked site hosting 150 designed for social engineering users The rogue pages look for post-nuptial or intellectual property agreements.
In the case of websites, they were created by exploiting a security flaw in the WordPress content management system (Content Management System), effectively allowing attackers to secretly inject their favorite pages without the website owner’s knowledge.
The nature of GootLoader and the way it is designed to provide a backdoor into a system means that the target of an attack may be intelligence gathering, but it can also be used as a tool to deliver additional damaging payloads to infected individuals, including Cobalt Strike and ransomware for Subsequent attacks on the system.
“GootLoader relies heavily on social engineering to establish its foothold, from poisoning Google search results to shaping payloads,” said Keegan Keplinger, head of research and reporting at the eSentire Threat Response Unit (TRU).
“The operators of GootLoader invite employees to find, download, and execute their malware under the guise of a free commercial agreement template. This is especially useful for legal firms that may encounter unusual requests from clients.”
To mitigate such threats, organizations are advised to review sample business agreements, train employees to open documents only from trusted sources, and ensure that what is downloaded matches what is intended to be downloaded.
