Threat Analysis

US Law Firms Targeted by GuLoader Campaign

Morgan Phisher October 11, 2023

Hey there! If you’re a part of the bustling cybersecurity world or work in the healthcare or legal fields, you won’t want to miss this. There has been a significant increase in the GuLoader campaign activity – yes, the dreaded malware distributor – in our glorious United States since last April. The hackers are mostly eyeing the law, healthcare and investment firms for their devious acts. Fascinating, right? Now let’s dive in and dissect this in simple terms, shall we?

For those of you not familiar with GuLoader, it’s quite a piece of work, having been a thorn in our sides for over three years now. It’s known for skillfully dishing out malware like candies from a pinata, with its partners in crime including, but not limited to, NetWire, Lokibot, Xloader and Remcos. What’s really unnerving is their use of legitimate hosting services like Google Drive, OneDrive, and GCloud to download their payloads under our noses!

Recently, this devious gang has been found using ‘github.io’ as the source. They cleverly deliver the dreadful Remote access trojan (RAT) Remcos via our unsuspecting friend, GuLoader. It’s like a Pandora’s box, you don’t know what you’re dealing with until it’s too late.

Did I tell you about their oh-so-sneaky PDF attachments? Sometimes, it’s a file they say needs to be viewed, other times it’s a locked PDF secured with a PIN that they’ve so kindly provided in the email. The bait? They tell you that the file can only be viewed after decryption, enticing you to click on a form of a clickable icon on the file.

Now the plot thickens, my friends! Once you’ve taken the bait and clicked that icon, you are redirected to another URL by an adclick service (DoubleClick in this case). It’s like a rollercoaster! At the end of the ride, you’re prompted to enter that PIN they emailed you earlier. Voila! The download finishes, and a GuLoader VBScript enters your system, marking the beginning of an attack.

For the tech geeks, I bet you can’t wait to get your hands on this obfuscated VBScript! It’s embedded with junk code and random comments. It’s responsible for decoding and executing a Powershell script. It’s a 32-bit version of powershell, as the GuLoader shellcode is 32-bit-based. I can see your eyes lighting up!

The step following this results in a 2nd stage Powershell script containing XOR encoded strings. Fancy, right? This bit is essentially the brain behind downloading the GuLoader shellcode.

Without boring you with any more technical mumbo-jumbo, let me get straight to the point. In a nutshell, this sneaky script downloads and decodes the GuLoader shellcode before splitting it up into two parts—Decrypting shellcode and Encrypted shellcode. But what does it do? It’s responsible for pulling down payloads into a process while showing a page not found error, ensuring the Remcos RAT runs undisturbed in the background. Creepy, isn’t it?

In recent times, we’ve seen GuLoader starring more frequently as the lead antagonist in numerous phishing campaigns, making full use of its advanced features and also utilizing the cloud platforms for loading their payloads.

Conclusion? Cyber attackers employ sneaky tactics to infiltrate your systems. They are proficient and persistent, and an efficient defense requires both attentiveness and technological assistance. Cybersecurity isn’t just black hat hackers and VPNs, it has levels that make Inception look simple. But remember, knowledge is power, especially in the field of cybersecurity. So stay sharp, friends!

by Morgan Phisher