Monday, July 15, 2024

GuLoader Malware is Attacking Law Firms Using Weaponized PDF File

The cybersecurity researchers at Morphisec Labs have been tracking the GuLoader campaign since April of this year and found that it has been actively targeting the law firms that are based in the US along with several other sectors like:-

  • Healthcare
  • Investment firms
Targeted sectors (Source – Morphisec)

For more than three years, GuLoader (aka ‘Cloudeye’) has been active, still keeps evolving, and employs diverse anti-analysis methods, posing challenges to security analysts to analyze it.

GuLoader, infamous for distributing multiple malware families, such as:-

  • NetWire
  • Lokibot
  • Xloader
  • Remcos

The GuLoader downloads the payload by using trusted platforms like:-

  • Google Drive
  • OneDrive
  • GCloud

In this campaign, the operators of GuLoader used ‘’ as the download source to deliver the Remcos RAT (remote access trojan).

GuLoader Malware Infection Chain

Encrypted PDF attachment comes with a PIN provided in the email for decryption, luring the victim to click on an embedded icon and initiate the process.

Encrypted PDF (Source – Morphisec)

Once the icon is clicked, it redirects users to the final URL through Google’s popular adclick service, DoubleClick, extensively utilized in online ads for tracking and gathering statistics and metadata on user clicks.

Download page for GuLoader VBScript secured with password (Source – Morphisec)

The threat actors likely use it to assess their malicious campaign’s effectiveness. The user is prompted to enter the previously sent PIN in the redirected URL, and upon providing the PIN, a GuLoader VBScript is downloaded to proceed further.

The GuLoader VBScript contains obfuscation, random comments, and redundant lines omitted. Here, the resulting code decodes and a Powershell script is executed.

Infection chain (Source – Morphisec)

Using the 32-bit version of Powershell, the Powershell script decodes and runs a 2nd stage Powershell script. This 2nd stage script contains XOR-encoded strings, which are responsible for downloading the GuLoader shellcode due to the presence of logical code.

Here the GuLoader shellcode is split into two parts which are fetched from  ‘’ and here they are mentioned below:-

  • Decrypting shellcode
  • Encrypted shellcode

Later it’s invoked with encrypted shellcode and ‘NtProtectVirtualMemory’ as arguments by passing it as a callback function to ‘CallWindowProcA’. The core role of the shellcode is to inject the final payload into ‘ieinstal.exe’ process by downloading and decrypting it. 

Moreover, it also fetches and opens a malicious PDF that triggers and runs the Remcos RAT in the background and presents a “404 Page not found” error.

Page not found error (Source – Morphisec)

In phishing campaigns, GuLoader frequently emerges as a malware loader. Among the most advanced downloaders, it fetches payloads from cloud hosting platforms, and surprisingly, this campaign used a regular URL.

“AI-based email security measures Protect your business From Email Threats!” – .


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles