Reading Time: 2 minutes

GootLoader Malware is a stealthy initial access malware that infects the victim’s system with ransomware and other lethal malware. Hackers are setting up GootLoader campaigns to target employees of accounting and law firms to deploy malware on infected systems, a clear indication that adversaries are expanding their focus to other high-value targets.

According to eSentire in a blog post, it intercepted and dismantled intrusions aimed at three law firms and an accounting enterprise. The names of the victims were not disclosed.

The researchers further explained in a write-up, “Their modus operandi (MO) is to entice a business professional to one of the compromised websites and then have them click on the link, leading to Gootloader, which attempts to retrieve the final payload, whether it be ransomware, a banking trojan or intrusion tool/credential stealer.” 

GootLoader
A Google search showing the number one result for the title: “Postnuptial Agreement Puerto Rico.” When the malicious link is clicked on by the victim, they are served the GootLoader malware.

According to eSentire, nearly 100,000 malicious web pages were set up last year across websites representing entities in the hotel industry, high-end retail, education, healthcare, music, and visual arts. While one of the hacked websites hosted 150 rogue pages designed for social engineer users searching for postnuptial or intellectual property agreements.

While the websites are broken, by exploiting security vulnerabilities in the WordPress content management system (CMS). Leading to permitting the attackers to clandestinely inject the pages of their liking without the website owner’s knowledge.

GootLoader is designed to provide a backdoor into systems implies that the goal of the attacks could be intelligence gathering and it also can be utilized as a tool for delivering additional damaging payloads, this includes Cobalt Strike and ransomware, to compromised systems for follow-on attacks.

According to Keegan Keplinger, research and reporting lead for eSentire’s Threat Response Unit (TRU), “GootLoader relies heavily on social engineering to establish its foothold, from poisoning Google search results to fashioning the payload. GootLoader’s operators invite employees to seek, download and execute their malware under the guise of a free business agreement template. This is particularly effective against legal firms, who may encounter uncommon requests from clients.”

To mitigate such threats, it’s recommended that organizations put in place a vetting process for business agreement samples, train employees to open documents only from trusted sources, and ensure that the content downloaded matches the content intended to be downloaded.

Related Articles:
Critical RCE Flaw similar to Log4Shell Discovered in H2 Database Console
FBI – Hackers Mailing Malicious USB Sticks to Businesses
SlimPay fined €180k after having 12 million customers’ data publicly accessible for five years.