GuLoader Campaign Targets Law Firms in the US

Since April, Morphisec Labs has been closely monitoring an active GuLoader campaign that primarily focuses on law firms, along with healthcare and investment firms, specifically within the United States. GuLoader, also known as Cloudeye, has been active for over three years, continuously evolving over time. Its developers employ a range of anti-analysis techniques, making it challenging for security researchers to analyze.

GuLoader has gained notoriety for its role in distributing numerous malware families, including NetWire, Lokibot, Xloader, Remcos, and others. It employs legitimate hosting services such as Google Drive, OneDrive, GCloud, and more to download the payload. In the campaign covered in this blog post, threat actors leveraged GuLoader to deliver Remcos RAT (remote access trojan) by utilizing `github.io` as the source for downloading the payload.

GuLoader-TargetedSectors
GuLoader Targeted sectors.

Infection Chain

Morphisec-GuLoaderInfectionChain

The PDF attachment appears to be locked and protected with a PIN, which the sender conveniently provides in the email. The lure message within the PDF suggests that the file needs to be decrypted for viewing. To initiate the decryption process, the victim is enticed to click on an icon embedded within the PDF.

GuLoader-PDFLure
Figure: PDF lures to click the icon and download payload.

This icon contains an embedded link, which once clicked, redirects the user to the final URL by utilizing a popular adclick service called DoubleClick, which is provided by Google. DoubleClick is widely used in online advertising and offers various capabilities, including the ability to track and gather statistics and metadata information on user clicks. In this context, it is likely employed by the threat actors to gain insights into the effectiveness of their malicious campaign. The redirected URL in the chain prompts the user to enter the PIN that was previously sent via email. Once the PIN is provided, a GuLoader VBScript is downloaded, marking the next stage of the attack.

GuLoaderVBScript
Figure: GuLoader VBScript download page secured with password.

The GuLoader VBScript is obfuscated and has junk code with random comments—this is how the code looks after omitting the redundant lines. The following script will decode and execute a Powershell script.

GuLoaderVBScript-2
Figure: GuLoader VBScript.

The Powershell script will decode and execute a 2^nd stage Powershell script using the 32-bit version of Powershell, as the GuLoader shellcode is 32-bit based.

GuLoader-1st-Stage-PowerShellScript
Figure: First stage Powershell script.

The 2^nd stage Powershell script contains XOR encoded strings that contain the logical code that is responsible for downloading the GuLoader shellcode.

GuLoader-2nd-Stage-PowerShellScript
Figure: Obfuscated second stage Powershell script.

This is a de-obfuscated, simplified form of the script, which downloads the GuLoader shellcode from `github.io` domain, base64 decodes it, and splits it into two parts:

Decrypting shellcode
Encrypted shellcode

Next, the shellcode is invoked by passing it as a callback function to `CallWindowProcA` along with the encrypted shellcode and `NtProtectVirtualMemory` as arguments.

GuLoader-2nd-Stage-PowerShellScript-2
Figure: Deobfuscated second stage Powershell script.

The GuLoader shellcode was reviewed in previous blog posts, and will not be covered in depth here. Fundamentally, the shellcode is responsible for downloading, decrypting and injecting the final payload into `ieinstal.exe` process. Including downloading and opening a decoy pdf that shows a page not found error while the malicious Remcos RAT is running in the background.

GuLoader-LurePDF-PayloadRunning
Figure: Lure PDF while payload is running in the background.

GuLoader is appearing more frequently as a malware loader in phishing campaigns. It’s one of the most advanced downloaders currently in use, and often downloads its payload from cloud hosting platforms. This campaign was a regular URL, however. Morphisec provides full protection against these and other malware loaders, such as InvalidPrinter.

How Morphisec helps

Morphisec’s Automated Moving Target Detection (AMTD) technology uses a preventative approach to cybersecurity, using an ultra-lightweight agent to block unauthorized processes (like GuLoader) deterministically, rather than probabilistically. Morphisec AMTD secures runtime memory and critical infrastructure, preventing unauthorized code from executing, regardless of whether a recognizable signature or behavior pattern exists. This protection extends to remote employees as well, and we encourage everyone to take advantage of our free trial to see Morphisec AMTD in action and how it protects critical systems against cyberattack.

The combination of detection-based tools with Moving Target Defense creates the most effective defense-in-depth against threats like GuLoader. To learn more, read the white paper: Zero Trust + Moving Target Defense: The Ultimate Ransomware Strategy.