Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Hackers Attack Employees from Six Law Firms

March 9, 2023

eSentire, a cybersecurity firm, reported on February 8th that it had shut down 10 cyberattacks hitting six different law firms in January and February 2023. The law firms were not identified, but this is what eSentire said took place.

The attacks emanated from two separate threat campaigns. One campaign attempted to infect law firm employees with the GootLoader malware. The other campaign hit law firm employees and other victims with the SocGholish malware.

eSentire’s Threat Response Unit (TRU) observed SocGholish dropping the Cobalt Strike intrusion framework within 10 minutes, while GootLoader has been observed dropping IcedID (a banking-trojan-turned-loader) and escalating to hands-on intrusions by the threat actors.

For more precise details, click on the link above.

Some of these attacks did not involve ransomware. The cybercriminals were fixated on the exfiltration of data. Some attacks compromised legitimate but vulnerable WordPress websites.

Titles which were effective at tricking legal firm employees included “a verbal agreement between a buyer and seller of real estate is considered“ and “professional firefighters association collective agreement.”

While the term “agreement” is a commonly observed keyword in titles, GootLoader catches legal employees with other legal language too, such as “contract salary calculator.” GootLoader uses legal titles in such a way that when a business professional searches on the Internet for specific contracts or agreements, there is little SEO competition for the collection of words used together. Thus GootLoader-infected blogs often rise to the top five search results. Once the legal employee clicks on the link, they’re presented with a fake forum page providing an alleged agreement template or contract template.

When the employee downloads and executes the document, they are actually downloading and executing the GootLoader malware. TRU responded to multiple incidents involving several law firm customers and, in all cases, the victims searched for document templates.

There was also a SEO Poisoning GootLoader campaign where the words “contract salary calculator Ontario” is populated on countless pages within a legitimate website. When a business professional looks for a sample of this via a Google Search, the search results will return this compromised website at the top of the search and this website will serve the initial payload.

A second attack campaign in January attempted to infect law firm employees and other business professionals with the SocGholish malware. SocGholish is a loader type malware that can perform reconnaissance activity and deploy secondary payloads including Cobalt Strike. Threat actors using SocGholish typically function as initial access brokers (they sell the access to other cybercriminals).

In one case, the attackers hijacked the website of a business that provides Notary Public services in the metropolitan area of Miami, Florida.

They compromised the Notary Public’s website so that, when visitors came to the website, an official-looking message popped up telling the visitor to update their Chrome Browser. However, when the visitor went to update their browser, they were actually downloading the SocGholish malware.  The Notary Public website was frequented by legal firms, as you might imagine.


SocGholish: You should never have to download a file to update Chrome. You can update Chrome by clicking the three dots in the upper right corner, then clicking Settings, then clicking About Chrome (bottom of navigation bar on the left). On that screen, you will see an interface for assessing the current chrome version and updating it.

GootLoader: Don’t trust documents posted on random forums. Have a process for employees to download documents from trusted sources only.

Here are more general recommendations provided by eSentire:

Display file extensions for known file types.

Make sure you trust document sources. Even legitimate Word and Excel documents from the Internet can lead to malware.

Use Windows Attack Surface Reduction rules to block JavaScript and VBScript from launching downloaded content.

Employ an Endpoint Detection and Response (EDR) tool to detect and isolate threats before they spread laterally.

Phishing and security awareness training should be mandated for all company employees. The training should focus on the following topics:

  • The downloading and execution of files from unverified sources.
  • Process for reporting potential security incidents.
  • Educate users about safe Internet browsing habits.
  • Avoid free versions of paid software.
  • Inspect the full URL before downloading files to ensure it matches the source (e.g., Microsoft Teams should come from a Microsoft domain).
  • Always inspect the extension of files, do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.
  • Employees need to report security threats without fear of repercussion, even if caused accidentally.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology