Posted on August 10, 2023 at 5:26 PM
Hackers Deploy Gootloader Malware To Target Law Firms
Gootloader, a search engine optimization (SEO) water hole technique, has been detected launching hacking campaigns targeting search terms linked to the legal sector. This technique has been seen as a threat to people and law firms conducting online legal information searches.
Gootloader SEO water hole technique is a threat to law firms
SpiderLabs revealed this hacking exploit through a blog post published on August 10. The research firm said that the Gootloader malware was garnering interest because of being exploited on compromised WordPress sites to distribute malware. The malware also used SEO poisoning techniques to rank higher in search engines.
The researchers said that the Gootloader malware manipulates search engine results and lures users into accessing compromised websites. The malware manipulates people’s trust in search engine results to deploy malicious payloads that cause harm to victims.
The researchers at SpiderLabs also said that nearly 50% of the cases reported under the malware targeted law firms. The majority of the keywords used in these high-ranking websites are in English. However, the campaign also targets French, Germany, Portuguese, South Korea, and Spain.
A senior security research manager at Spider Labs, Karl Sigler, said that SpiderLabs has been tracking the Gootloader malware and had detected multiple campaigns that are using it, showing that the extent of the breach is massive.
Sigler also said that the malware appeared unique as it combined the SEO promotion of malicious websites to lure victims instead of conducting phishing campaigns. He also said that the hacking technique targets specific industries, resulting in high volumes of specific data sets.
“This technique balances the significant return of miscellaneous and random data from opportunistic attacks and the specific but low-quantity data from targeted attacks. Targeting a specific industry like the legal industry with this type of attack will likely result in a high volume of a specific data set,” the security researcher said.
SpiderLabs said that this hacking campaign usually begins with a search of supply agreement documents. This search will lead a web user to compromised WordPress web pages infected with the Gootloader malware.
SpiderLabs also said it had gathered multiple search queries leading to the infected websites. The most popular SEO keywords used on legal documents controlled by hackers are contracts, agreements, and forms.
Users lured with malicious download links
When web users visit compromised sites, the researchers said they would be directed to a fake forum page that has adopted social engineering tactics. The forum will entice the user to click a download link for the document they seek. The download link will redirect the user to another WordPress webpage that hackers control.
The visitor’s information will also be checked, and if the appropriate conditions are achieved, a ZIP file will be shown and made available for download. The name of this ZIP file is derived from the user’s search keyword. This ZIP file contains a malicious .JS file concerned within a JavaScript library.
Law firms are usually a target of hacking campaigns because of the sensitive data that they handle. They typically deal in sensitive information such as mergers and acquisitions, medical records, intellectual property, trusts and estates, tax information, medical data, and a wide range of other filings.
As such, the Gootloader malware may have been targeting law firms because of the rich nature of the information they harbor. The CEO of Conversant, John A. Smith, said that Gootloader had been used since late 2020 to deploy ransomware, infostealers, and remote access tools.
Law firms are also vulnerable to ransomware campaigns because most cannot afford to lose the stolen data. These firms usually build their reputation through client trust. As such, paying the ransom is usually the best alternative for those targeted by ransomware campaigns.
Smith also said this hacking campaign usually relies on end users downloading malicious files. In this case, training the end user is usually the best action to avoid these hacking campaigns.
Smith noted that end-user training was a layered defense strategy. If the cybersecurity team at these firms employed controls that blocked users from downloading these files, the appropriate file inspections were activated within the level of the controls. Despite the user’s actions, these files might not have been downloaded, making such firms safe from malicious exploits.