New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


GootLoader Hackers Targeting Employees of Law and Accounting Firms

Operators of the GootLoader campaign have been seen specifically targeting employees of accounting and law firms this year, marking a shift in their focus of targets. The Gootloader payload is the initial access malware used to compromise a system in these campaigns, with other lethal malware, like ransomware, to follow.

GootLoader uses poisoned search results in search engines to lure their target into downloading the GootLoader malware. The GootLoader operators utilize compromised WordPress sites to host their malware that is masquerading as sample business agreements or templates the targeted victims may be interested in viewing. When the victim performs a search for these types of business agreements, they end up accessing the compromised WordPress site due to it being one of the top results returned by the search engine. The fake business agreement hosted on these sites is actually a JavaScript file that, when executed, downloads further malware on to the system. Samples of GootLoader show that next step payloads may be a flavor of ransomware, the Gootkit banking trojan, or a Cobalt Strike beacon.

The WordPress sites that the GootLoader operators have compromised have been seen being broken into by exploiting security vulnerabilities in unpatched or older versions of the software.

Analyst Notes

It is recommended that organizations educate employees on the risk of using search engines to find free document templates. This includes making sure that any templates they download are from verified or trusted sources only. Likewise, it is important to ensure that content downloaded from the Internet is actually the content that it appears to be and is not masquerading as a different file type than it is. Using a good EDR tool is also essential for being able to prevent or detect behavior and payloads used by various malware families such as GootLoader. For any administrators of WordPress websites, it is highly recommended to make sure that the WordPress site’s attack surface is as minimal as possible. This can be done through a number of steps, such as: making sure user accounts have strong passwords and multi-factor authentication (MFA) enabled, keeping the WordPress version and any themes and plugins up-to-date, and making sure only required themes and plugins are installed and enabled. Due to its widespread use across the Internet, WordPress is a high-value target for threat actors to compromise and use as staging platforms for attacks, so keeping WordPress sites secure can help prevent others from being attacked or infected with malware.