A Look Back On: How Accounting and Law Firms Were Targeted

A Look Back On: How Accounting and Law Firms Were Targeted


Accounting and law firms have always been seen as attractive targets by cybercriminals because of the sensitive nature of the work they do and the amount of important data stored on their computers.

The GootLoader malware group unleashed a hacking campaign that exploited something accounting and law firms rely on every day: sample document templates.

An Overview: GootLoader Poisons Sample Document Temples

Instead of always writing documents from scratch, such as contracts, accounting and law professionals typically start with a readily available template and edit it based on their needs.

According to the Threat Response Unit (TRU) from eSentire, the GootLoader malware group is polluting the web with malware disguised as legitimate document templates. When a user opens the downloaded file, their computer becomes infected either with ransomware or Cobalt Strike, a full-featured intrusion suite.

Instead of setting up their own website with document templates, the GootLoader malware group is taking advantage of WordPress vulnerabilities to compromise existing websites, especially those that already rank well in popular search engines. Once compromised, the hackers can publish any content they want, and the owner of the website may not notice for days, weeks, and even months.

“The TRU found that the GootLoader hackers stood up over 100,000 malicious web pages promoting different types of business agreements. In one case, one of the compromised websites, was hosting 150 pages of the hackers’ content,” writes eSentire.


How Can Accounting and Law Firms Protect Themselves?

At its core, the new GootLoader campaign relies on indirect social engineering. By hacking vulnerable WordPress sites, the attackers hide their true identities, making it much easier for them to convince unsuspecting accounting and law professionals that they have nothing to worry about.

The best protection against all social engineering attacks is cybersecurity awareness training. When employees know that threats such as GootLoader exist, they’re much less likely to carelessly download files from third-party websites without even considering that they could be infected with malware.

Of course, the convenience of using a ready-made template instead of writing the entire document from scratch is hard to give up, but the good news is that it’s seldom necessary to do so.

Instead of completely prohibiting employees from downloading documents from the web, accounting and law firm should create policies that clearly specify the websites from which employees are allowed to download document templates. This simple step can narrow down the attack vector considerably, especially when only a small handful of trustworthy sites are included.

GootLoader and other similar attacks that rely on malicious JavaScript or VBScript code can be stopped using attack surface reduction rules in Microsoft Defender for Endpoint that target executable files and scripts that attempt to download or run files and other suspicious behaviors.
Last but not least, accounting and law firms should have in place a reliable Endpoint Detection and Response (EDR) product to continually monitor and respond to cyber threats.

Let Us Help You Defend Your Firm

Although the GootLoader campaign has been out for a while, it is just one of many examples of the growing sophistication of cybersecurity threats. If you have an accounting or law firm, then it’s only a matter of time before cybercriminals set their sights on you. We at BCA can help you strengthen your defenses by implementing the controls described in this article. Get in touch with us for more information.