Malspam Campaign Uses GuLoader
GuLoader is a downloader made by Cloud Eye, an Italian firm, that is used by threat actors for the purpose of distributing malware. CloudEye was exposed by CheckPoint and usage dropped after the increase in publicity, but GuLoader activity has risen again as seen used in this Malspam campaign. GuLoader originated from DarkEye, used to prevent code reverse engineering, which evolve into CloudEye. Malwarebytes states that GuLoader and Cloud eye have been effective in evasion in sandboxes and from security products that include network-based detection. Meaning GuLoader can be executed without detection in various environments and what made it famous. On July 11, 2020 CloudEye announced it was resuming its sales where it had stopped all accounts for about a month.
This Malspam itself was caught using a DHL style phishing lure to drop GuLoader. Attached in the fake DHL email was an ISO file which can be mounted as a virtual drive and it contains the executable written is Visual Basic. Executing GuLoader connects to a server to download the payload and using PE-Sieve Malwarebytes was able to reconstruct the encrypted payload as a standalone executable allowing shellcode in memory to be saved to disk for analysis. Analysis which reveals it to be the formbook information stealer, which is consistent with the type of activity seen with GuLoader. Malwarebytes also believes that one threat group is behind this Malspam and is spreading it with and without GuLoader.
Popularity of the tool, GuLoader, will fuel other malware campaigns and other version of itself and there is an expectation to see a newer version of this in the future. Preventing against campaigns like these require good operational security when downloading email attachments from emails that are unsolicited or seem sketchy and verifying the authenticity of the sender. Sysadmins should remove traces of GuLoader when detected and assess what information might have been stolen and act accordingly. Malwarebytes has posted indicators of compromise which aids in detection and response, see their article for the full details.
Sources:
Indicators of Compromise:
- GuLoader
- DHL_AWB_INV_9882900_99862788_998.exe
- 8a13de21c0cb1d10e4ee93394794e0714f4a58994be543ac94592b6f8abc53dc
- Shellcode loaded by GuLoader
- fbdoskitryupanel.webredirect[.]org/uploud/5bab0b1d864615bab0b1d864b3/bin_koLHz220.bin
- 45.76.45[.]167
- Decoded shellcode into binary
- 7b4d3b6eb50a072d36f6233aeb56352735c59dd54ba54d6e6fbca6b23a1739d5