Morphisec Labs has been tracking a GuLoader campaign since April of this year. The campaign has been specifically targeting American law firms, along with healthcare and investment firms. GuLoader, also known as Cloudeye, has been operating for over three years and has continuously evolved during this period.
Diving into details
Among the attacks observed, law firms accounted for 46.4%, followed by healthcare firms (21.4%) and investment firms (17.9%).
- The attached PDF is password-protected, with the sender conveniently providing the PIN in the email. The PDF's content suggests that decryption is required for viewing, enticing the victim to click on an embedded icon.
- A PowerShell script is executed to decode and run a second-stage PowerShell script using the 32-bit version of PowerShell, as the GuLoader shellcode is 32-bit based. The second-stage script contains XOR-encoded strings responsible for downloading the GuLoader shellcode.
- The shellcode is then responsible for downloading, decrypting, and injecting the final payload into the ieinstal.exe process. Additionally, a decoy PDF is downloaded and opened, displaying a "page not found" error while the malicious Remcos RAT operates in the background.
A bit on GuLoader
GuLoader was last observed in a campaign uncovered by Microsoft. While the campaign ultimately dropped Remcos RAT, in some cases, GuLoader was used as a dropper.
- The malware's developers employ a diverse range of techniques to thwart analysis efforts, further complicating the task of comprehending its inner workings.
- GuLoader is, furthermore, known for its distribution of various malware families, including NetWire, Lokibot, XLoader, and Remcos. It employs trusted platforms such as Google Drive, OneDrive, and GCloud to download its payload.
The bottom line
GuLoader is increasingly prevalent as a malware loader within phishing campaigns. It stands out as one of the most sophisticated downloaders utilized at present, frequently retrieving its payload from cloud hosting platforms. Morphisec Labs has provided the IOCs, which defenders can use to defend against this threat, alongside implementing a robust cyber defense mechanism.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/fe6f_shutterstock_1914117646.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_659365798.jpg)
