The privileged information clients share with attorneys amounts to a treasure trove for hackers.

Keegan Keplinger

The privileged information clients share with attorneys amounts to a treasure trove for hackers.

Two threat campaigns, one spreading a malware called GootLoader and the other SocGholish, targeted seven law firms in the first few months of 2023, according to global cybersecurity solutions provider eSentire’s Threat Response Unit, which blocked the attacks.

The GootLoader campaign has been targeting law firm staff who download what they think is a legal document template found from search results but in reality is malware. A senior threat intelligence researcher with TRU, Keegan Keplinger, said the malware has tricked paralegals and attorneys as well as in-house legal departments of businesses. When the template doesn’t download, they try to download the malware multiple times.

“I think they, upon trying to open it, they didn’t get anything,” Keplinger said, “so they went and downloaded it again and tried to open it again.”

GootLoader sets up fake blog posts as traps on various “legitimate but vulnerable” WordPress sites not relating to the legal industry — websites sharing personal photography, culture, nonprofit and even some with commercial purposes. According to Keplinger, some of the sites have been abandoned for several years, leaving them vulnerable.

Keplinger said hackers also block a site’s owners and regular registered users from even viewing the faked blog posts.

“They even go a step further and block registered users from getting to those blogs so if you’re a registered user from that website, you’re actually protected from it,” Keplinger said. “Because they want to get those one-off people that are coming from the search engine and don’t know the broader context of the website. They’re just going to that one blog post.”

Those blog posts use hyper-specific legal search engine terms teasing templates for contracts like real estate agreements and collective agreements, as well as what appears to be a contract salary calculator.

The SocGholish malware campaign in January “poisoned websites en masse” with a pop-up that directs a website visitor to update their Google Chrome browser that tricks them into downloading the malware. One of the websites was a Miami, Florida Notary Public website, which legal firm employees frequent for services including general financial transactions, estates, deeds and powers of attorney.

The two campaigns’ malware creates an entry point into a network that allows hackers to act on stolen access in record time. A hacker can follow up after SocGholish to penetrate a system within 10 minutes after a user unknowingly lets malware onto their work PC, according to the TRU. Once one employee inadvertently lets in malware, it’s possible for an entire network to be infected.

The hacker is in

The SocGholish and GootLoader threat campaigns fit the pattern of hackers casting a wide net for victims. What’s unusual about the GootLoader campaign is how it has narrowed its strategy to target almost exclusively law firms in the last year.

Dan Nelson

Dan Nelson worked at Armstrong Teasdale as an attorney for 30 years and co-founded what is now the firm’s data innovation, security and privacy practice group. He earned his ethical hacker certification and built his own hacking lab to learn the technical aspects of information security before he left the practice of law to co-found Digital Silence, a security company.

Nelson noted that everyone with a computer and access to money or information is a target.

“Given the way these modern attacks occur, there is no such thing as too anonymous, as too small, or ‘Maybe I can just go unnoticed,’” Nelson said.

Keplinger noted that the information that clients entrust with law firms handle is gold to hackers with financial as well as political espionage motivations.

“There’s a lot of more sensitive information there just in general,” Keplinger said.

Trade agreements can open up interest in economic espionage while law firms filing lawsuits against foreign states can find themselves targeted, Keplinger said.

Nelson noted that the size of a firm isn’t the greatest gauge of how concerned a firm should be about cybersecurity, but smaller firms in particular are most impacted by ransomware, which locks down a computer or even an entire network until a ransom is paid, and business email compromise, which can open the door to fraudulent funds transfers.

“Even a small firm may handle large settlement checks from time to time,” Nelson said. “Someone can get into the system and misdirect those settlement checks to a malicious party instead of your client.”

Lurking malware

Keplinger noted an emerging trend of threat campaigns in the last few years where some ransomware groups have stopped using ransomware altogether to lock down affected computers and skip to extracting data.

Elizabeth Clarke

“And they’ll do all the same things, maybe publish them on a leak site, call people up and threaten them to get money,” Keplinger said. “But they’re no longer dropping that ransomware and locking down computers.”

Keplinger cited another ethical hacker’s honeypot scheme where a researcher observed a hacker who followed up with a GootLoader-infected system over a series of two days in 2022. By the end of day one, the hacker had disabled defenses and moved onto three other workstations and downloaded files.

Branded ransomware is easier to trace than leaks and threats, and Keplinger estimates that forgoing ransomware is a tactic to prevent the Federal Bureau of Investigation from locking down ransom attempts with sanctions.

“But if you’re doing just pure exfiltration, there’s a lot less chances to identify, so there’s nobody really to sanction,” Keplinger said.

Elizabeth Clarke, director of public relations for eSentire, noted the agility of the shadow economy of organized crime organizations devoted to hacking.

“The hackers are like any business,” Clarke said. “They adapt to the market, what’s going on in the market and obstacles.”