Cybercriminals Targets Law Firms With GootLoader & FakeUpdates

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Mar 01, 2023 10:45 am PST

According to cybersecurity company eSentire, six law firms were the targets of distinct GootLoader and SocGholish malware attacks in January and February 2023. The first effort, which targeted employees of legal firms, sought to infect victims’ machines with GootLoader, a malware family known for installing the Cobalt Strike implant, REvil ransomware, and GootKit remote access trojan (RAT).

Given that none of the detected GootLoader infections in 2022 released ransomware, eSentire claims that the assaults appear to be concentrated on spying and exfiltration efforts. The attackers used SEO poisoning to gain initial access by adding blog articles to an actual WordPress website that had been hijacked.

Legal keywords were used on the GootLoader-infected blogs to draw legal recruits and boost their search engine ranks. The GootLoader virus was provided to visitors routed to a bogus forum website that encouraged them to download a purported agreement or contract template.

According to eSentire researcher Keegan Keplinger, it’s possible that the GootLoader operations have changed to support attacks that are not only financially motivated but also politically motivated and cyber espionage operations. This is because ransomware is no longer being used in these attacks, but they are still successful at infecting law firms.

The SocGholish malware, also known as FakeUpdates, was used by the attackers to target employees of law firms and other business professionals during the second campaign.

SocGholish, which initial access brokers frequently use, enables attackers to conduct reconnaissance and launch further payloads, such as Cobalt Strike. Recently, it was observed that the infection also used the LockBit ransomware.

The attacks that were seen used poisoned domains, including a Miami notary company’s website that had been taken over. The hacked website served the SocGholish virus in place of the pop-up notification advising users to update their Chrome browser.

“SocGholish operators grab the odd high-value target website from their infections by infecting a sizable number of lower traffic websites. To give one example, law offices frequently visit the Notary Public website. These visits are valued highly, according to eSentire.

What Impact Does Gootloader Have On Websites?

Gootloader uses fraudulent SEO practices to bring a page into relevant Google search results, which puts websites that use websites in danger of malware attacks. Although it doesn’t sound too terrible, the issue is that this downloader software changes current websites so that they offer various websites whenever your link is visited, changing how particular people perceive them.

Severe fines may then result from this. In addition to misleading website visitors, Gootloader also raises the risk of potential phishing attempts because it sends them to a particular page that could be used as a “trap” or “bait” for unwary users.

From a functional perspective, Gootloader malware infects WordPress websites by adding a few extra lines of code to the page’s file at first. When these lines of code are invoked, a command is launched that compels an infected website to download several pages of phony material. These downloads are repeatedly carried out throughout time to purchase more time to avoid detection so that the actual cyber-attack can continue and hide the outcome.

Typically, avoiding downloading impacted plugins is the best method to defend your website from a Gootloader attack (especially the actual Gootloader plug-in itself). In addition to avoiding unauthorized downloads, disaster prevention with your CMS and web pages also include keeping an eye out for warning indications like:

  • JavaScript file being run by Wscript.
  • There is a file called “*agreement*.js” (for English site users)
  • There is a file called “*herdownload*.js” (for German site users)

Hiring a professional who can keep your pages secure if you want to give your website the comprehensive defense it requires to fend off such malware attacks is crucial.

The potential of falling prey to a Gootloader assault is one of the things you should be most prepared for among all the other concerns you have when managing a WordPress website.

You may maintain a more proactive approach to securing your website and making sure it isn’t affected by the malware threat in issue by keeping the essential factors listed above in mind.


In January and February 2023, two separate cyber campaigns that distributed the malware strains GootLoader and FakeUpdates (also known as SocGholish) targeted six different legal firms. GootLoader, a first-stage downloader active since late 2020, can distribute various secondary payloads, including Cobalt Strike and ransomware. Notably, it uses SEO poisoning to direct victims looking for business-related papers to fly-by-night download sites that have JavaScript malware.

Security firm eSentire has described a campaign in which threat actors are alleged to have infiltrated trustworthy but susceptible WordPress websites and secretly uploaded new blog articles. In January 2022, eSentire researcher Keegan Keplinger stated that when a computer user navigates to one of these malicious web pages and clicks the link to download the ostensible business agreement, they are unintentionally installing GootLoader.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x