Once prolific spreaders of REvil ransomware, the GootLoader malware gang has pivoted to actively targeting employees of law and accounting firms with malicious downloads.
The Threat Response Unit from eSentire issued an alert about having over the past three weeks observed GootLoader attacks on three law firms and one accounting firm.
WordPress vulnerabilities let the attackers easily hijack sites offering sample business agreements for professionals, the eSentire report explained. The researchers were able to identify more than 100,000 pages with malicious business agreement links set up by GootLoader, with one site having more than 150 pages of content generated by the threat actors.
The law firm employees tricked by the malicious agreements were searching for common legal filings including “Post Nuptial Agreement,” Model IP Agreement” and “Olympus Plea Agreement,” according to the report.
“When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader,” Keegan Keplinger, research and reporting lead for TRU, said. “As a result, unless your organization has security protections in place, your organization is likely infected with GootLoader, which could lead to a ransomware deployment, and