Operators of the GootLoader campaign have been seen specifically targeting employees of accounting and law firms this year, marking a shift in their focus of targets. The Gootloader payload is the initial access malware used to compromise a system in these campaigns, with other lethal malware, like ransomware, to follow.
The WordPress sites that the GootLoader operators have compromised have been seen being broken into by exploiting security vulnerabilities in unpatched or older versions of the software.
It is recommended that organizations educate employees on the risk of using search engines to find free document templates. This includes making sure that any templates they download are from verified or trusted sources only. Likewise, it is important to ensure that content downloaded from the Internet is actually the content that it appears to be and is not masquerading as a different file type than it is. Using a good EDR tool is also essential for being able to prevent or detect behavior and payloads used by various malware families such as GootLoader. For any administrators of WordPress websites, it is highly recommended to make sure that the WordPress site’s attack surface is as minimal as possible. This can be done through a number of steps, such as: making sure user accounts have strong passwords and multi-factor authentication (MFA) enabled, keeping the WordPress version and any themes and plugins up-to-date, and making sure only required themes and plugins are installed and enabled. Due to its widespread use across the Internet, WordPress is a high-value target for threat actors to compromise and use as staging platforms for attacks, so keeping WordPress sites secure can help prevent others from being attacked or infected with malware.