An active GootLoader campaign was found targeting the employees of accounting and law firms. The campaign is attempting to deliver malware on targeted systems in a widespread cyberattack.
What has happened
According to eSentire, GootLoader is a stealthy malware used for initial access. Once inside the system, it delivers ransomware or other dangerous malware.
GootLoader uses social engineering tactics for initial access in which it poisons the Google search results.
The cybersecurity firm first observed, and was able to stop, the intrusion aimed at an accounting enterprise and three different law firms. The names of the victim firms were not disclosed.
How does the infection work?
The rogue websites exploited security vulnerabilities in the WordPress content management system and allowed the attackers to inject malicious pages and documents without the knowledge of the website owner.
GootLoader provides a backdoor into systems, suggesting the goal of the attacks could be gathering intelligence or using the malware as a tool for delivering additional payloads.
The malware operator invites employees to pursue, download, or execute the malware under the disguise of a free business agreement template, which acts as an effective tactic against legal firms that face requests from clients.
In December last year, over 100,000 malicious web pages were created for websites representing organizations in the education, hotel industry, retail, music, healthcare, and visual arts.
One website was found hosting 150 rogue pages for users searching for intellectual property and postnuptial agreements.
GootLoader is still active and seems to be focusing on intelligence gathering. Thus, organizations are suggested to apply a vetting process for agreement samples and train employees on proper cyber hygeine, especially regarding emails from unknown senders. Additionally, ensure the downloaded content has not been tampered with.