New GootLoader Campaign Targets Accounting, Law Firms

WordPress Bug in 5.0

GootLoader hijacks WordPress sites to lure professionals to download malicious sample contract templates.

Once prolific spreaders of REvil ransomware, the GootLoader malware gang has pivoted to actively targeting employees of law and accounting firms with malicious downloads.

The Threat Response Unit from eSentire issued an alert about having over the past three weeks observed GootLoader attacks on three law firms and one accounting firm.

WordPress vulnerabilities let the attackers easily hijack sites offering sample business agreements for professionals, the eSentire report explained. The researchers were able to identify more than 100,000 pages with malicious business agreement links set up by GootLoader, with one site having more than 150 pages of content generated by the threat actors.

Infosec Insiders Newsletter

The law firm employees tricked by the malicious agreements were searching for common legal filings including “Post Nuptial Agreement,” Model IP Agreement” and “Olympus Plea Agreement,” according to the report.

“When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader,” Keegan Keplinger, research and reporting lead for TRU, said. “As a result, unless your organization has security protections in place, your organization is likely infected with GootLoader, which could lead to a ransomware deployment, and then it is game over.”

GootLoader Games Google SEO

The group has also gamed Google’s Search Engine Optimization algorithm to get their malicious sites and downloads to the top of keyword search results, the analysts found.

Once downloaded, GootLoader installs ransomware or Cobalt Strike, according to the eSentire TRU team.

The best way for accounting and law firms to protect their systems is to stop employees from downloading files from the web, the report added.

Law firms and accounting firms are prime targets for cyberattackers looking to capitalize on banking and other intensely sensitive data.

Last July, U.S. law firm Campbell Conroy & O’Neil, P.C. – which represents companies including Apple, Boeing, Exxon-Mobil, IBM and many other Fortune 500 companies – was hit with a ransomware attack.

And the eSentire report points to the long and illustrious track record of financial cybercrime gang FIN7, which just last July used a fake legal complaint to breach liquor company Brown-Forman.

“All organizations, not just law firms and accounting firms, should have a vetting process for business agreement samples, gathered from the Internet, to ensure that they are not infected with malware,” Keplinger advised “Employees should also be aware that GootLoader comes as a JavaScript (.js) file. While it is often disguised as a document, right clicking the downloaded file and clicking properties will show the real file type. Whenever downloading documents from the web, scripting files like .js, .ps1 and .cmd should never be executed.”

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.

Suggested articles