Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
GootLoader hijacks WordPress sites to lure professionals to download malicious sample contract templates.
Once prolific spreaders of REvil ransomware, the GootLoader malware gang has pivoted to actively targeting employees of law and accounting firms with malicious downloads.
The Threat Response Unit from eSentire issued an alert about having over the past three weeks observed GootLoader attacks on three law firms and one accounting firm.
WordPress vulnerabilities let the attackers easily hijack sites offering sample business agreements for professionals, the eSentire report explained. The researchers were able to identify more than 100,000 pages with malicious business agreement links set up by GootLoader, with one site having more than 150 pages of content generated by the threat actors.
The law firm employees tricked by the malicious agreements were searching for common legal filings including “Post Nuptial Agreement,” Model IP Agreement” and “Olympus Plea Agreement,” according to the report.
“When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader,” Keegan Keplinger, research and reporting lead for TRU, said. “As a result, unless your organization has security protections in place, your organization is likely infected with GootLoader, which could lead to a ransomware deployment, and then it is game over.”
The group has also gamed Google’s Search Engine Optimization algorithm to get their malicious sites and downloads to the top of keyword search results, the analysts found.
Once downloaded, GootLoader installs ransomware or Cobalt Strike, according to the eSentire TRU team.
The best way for accounting and law firms to protect their systems is to stop employees from downloading files from the web, the report added.
Law firms and accounting firms are prime targets for cyberattackers looking to capitalize on banking and other intensely sensitive data.
Last July, U.S. law firm Campbell Conroy & O’Neil, P.C. – which represents companies including Apple, Boeing, Exxon-Mobil, IBM and many other Fortune 500 companies – was hit with a ransomware attack.
And the eSentire report points to the long and illustrious track record of financial cybercrime gang FIN7, which just last July used a fake legal complaint to breach liquor company Brown-Forman.
“All organizations, not just law firms and accounting firms, should have a vetting process for business agreement samples, gathered from the Internet, to ensure that they are not infected with malware,” Keplinger advised “Employees should also be aware that GootLoader comes as a JavaScript (.js) file. While it is often disguised as a document, right clicking the downloaded file and clicking properties will show the real file type. Whenever downloading documents from the web, scripting files like .js, .ps1 and .cmd should never be executed.”
Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.
Share this article:
What attracts the attackers? David “moose” Wolpoff, CTO at Randori, discusses how to evaluate your infrastructure for juicy targets.
Court rules ‘War or Hostile Acts’ exclusion doesn’t apply to the pharma giant’s 2017 cyberattack.
The WordPress WP HTML Mail plugin for personalized emails is vulnerable to code injection and phishing due to XSS.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
update: The ICRC is up for confidentially communicating with whoever committed this atrocity, it said on Friday.… https://t.co/4QxMZijcPX
24 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
