The cybersecurity researchers at Morphisec Labs have been tracking the GuLoader campaign since April of this year and found that it has been actively targeting the law firms that are based in the US along with several other sectors like:-
For more than three years, GuLoader (aka ‘Cloudeye’) has been active, still keeps evolving, and employs diverse anti-analysis methods, posing challenges to security analysts to analyze it.
GuLoader, infamous for distributing multiple malware families, such as:-
The GuLoader downloads the payload by using trusted platforms like:-
In this campaign, the operators of GuLoader used ‘github.io’ as the download source to deliver the Remcos RAT (remote access trojan).
Encrypted PDF attachment comes with a PIN provided in the email for decryption, luring the victim to click on an embedded icon and initiate the process.
Once the icon is clicked, it redirects users to the final URL through Google’s popular adclick service, DoubleClick, extensively utilized in online ads for tracking and gathering statistics and metadata on user clicks.
The threat actors likely use it to assess their malicious campaign’s effectiveness. The user is prompted to enter the previously sent PIN in the redirected URL, and upon providing the PIN, a GuLoader VBScript is downloaded to proceed further.
The GuLoader VBScript contains obfuscation, random comments, and redundant lines omitted. Here, the resulting code decodes and a Powershell script is executed.
Using the 32-bit version of Powershell, the Powershell script decodes and runs a 2nd stage Powershell script. This 2nd stage script contains XOR-encoded strings, which are responsible for downloading the GuLoader shellcode due to the presence of logical code.
Here the GuLoader shellcode is split into two parts which are fetched from ‘github.io’ and here they are mentioned below:-
Later it’s invoked with encrypted shellcode and ‘NtProtectVirtualMemory’ as arguments by passing it as a callback function to ‘CallWindowProcA’. The core role of the shellcode is to inject the final payload into ‘ieinstal.exe’ process by downloading and decrypting it.
Moreover, it also fetches and opens a malicious PDF that triggers and runs the Remcos RAT in the background and presents a “404 Page not found” error.
In phishing campaigns, GuLoader frequently emerges as a malware loader. Among the most advanced downloaders, it fetches payloads from cloud hosting platforms, and surprisingly, this campaign used a regular URL.
“AI-based email security measures Protect your business From Email Threats!” – .
In a recent development, the SPAWNCHIMERA malware family has been identified exploiting the buffer overflow…
A significant vulnerability in Sitevision CMS, versions 10.3.1 and earlier, has been identified, allowing attackers…
Chinese cybersecurity entities have accused the U.S. National Security Agency (NSA) of orchestrating a cyberattack…
The ACRStealer malware, an infostealer disguised as illegal software such as cracks and keygens, has…
A security vulnerability in Nagios XI 2024R1.2.2, tracked as CVE-2024-54961, has been disclosed, allowing unauthenticated…
Ubiquiti Networks has issued an urgent security advisory (Bulletin 046) warning of multiple critical vulnerabilities…