Threat Research

GuLoader Targeting the Financial Sector Using a Tax-themed Phishing…

Securonix

GuLoader, also known as CloudEyE, targeted the financial sector via a tax-themed phishing lure and delivered Remcos RAT through a multi-stage PowerShell/VBS chain. eSentire’s TRU team documented the attack, including phishing, registry-based persistence, in-memory shellcode, and Remcos C2 communications. #GuLoader #CloudEyE #Remcos #RemcosRAT #Kaseya #more_eggs #TaxThemedPhishing

Keypoints

  • GuLoader (CloudEyE) is a loader malware capable of delivering additional malware such as infostealers and Remote Access Trojans (RATs) and uses numerous anti-analysis techniques.
  • In March 2022, GuLoader targeted the financial sector with a tax-themed phishing email that linked to a password-protected ZIP containing a decoy image and a PDF masquerade.
  • A shortcut file leverages PowerShell to download further payloads from a remote server, demonstrated by a multi-stage one-liner example.
  • The obfuscated VBS writes base64-encoded GuLoader shellcode to registry keys and launches the payload via PowerShell, with the shellcode stored in an obfuscated registry value.
  • GuLoader persists via Registry Run Keys, placing an obfuscated PowerShell script in HKCU:State to load the shellcode in memory.
  • The shellcode retrieves the Remcos RAT from a remote web server and injects it into a legitimate ieinstal.exe process, with C2 activity observed through Remcos data.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Link – Used a tax-themed phishing email to deliver payloads. ‘In March 2022, TRU observed GuLoader targeting the financial sector via the phishing email using a tax-themed lure.’
  • [T1059.001] PowerShell – The shortcut file leverages PowerShell to retrieve additional payloads from the website. ‘The shortcut file leverages PowerShell to retrieve additional payloads from the website. Here is the example of the spawned PowerShell one-liner command: …’
  • [T1059.005] VBScript – The obfuscated VBS script writes base64-encoded shellcode to registry and executes GuLoader via PowerShell. ‘The obfuscated VBS script is responsible for writing the base64-encoded GuLoader shellcode payload to registry keys and executing the GuLoader payload via PowerShell (Figures 5-6).’
  • [T1027] Obfuscated/Compressed Files and Information – The malware uses obfuscated/VBS and XOR-ed scripts to conceal its payload. ‘The most recent GuLoader malware variant uses obfuscated VBS and PowerShell to drop and inject additional malware, such as Remcos RAT, into a legitimate process, making it difficult to detect.’
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence via Run Keys. ‘GuLoader achieves persistence via Registry Run Keys (Figure 7).’
  • [T1055] Process Injection – The shellcode is injected into a legitimate process (ieinstal.exe). ‘injects it into the ieinstal.exe process.’
  • [T1071.001] Web Protocols – Remcos RAT C2 communications via a web server. ‘The shellcode retrieves the Remcos RAT from the web server … and injects it into the ieinstal.exe process.’
  • [T1105] Ingress Tool Transfer – Downloading payloads from remote servers. ‘The command retrieves the VBS file from the encoded domain that translates to hxxp://109.206.240[.]67/xlog/Blotlg.vbs.’

Indicators of Compromise

  • [File] Blotlg.vbs – d79593a6fb6c636a50334085b9d6018b
  • [File] info.pdf – cc6440a764050a8adf530efe2a989d25
  • [File] PowerShell obfuscated script – d2b6255b7076eb754921121489804fee
  • [File] Shellcode – dfb72ba81b0f765d1676f856d6af82c7
  • [File] Decrypted shellcode – d7baac59e5aa6122621c31f0afb49119
  • [IP Address] 109.206.240[.]67 – C2/host for payload retrieval (opendir)
  • [Domain] xlongactive[.]su – Remcos RAT C2
  • [File] Password-protected ZIP archive – fa0b3b0e5b7b5aa9a2da7bebbc15ab0e944d984b

Read more: https://www.esentire.com/blog/guloader-targeting-the-financial-sector-using-a-tax-themed-phishing-lure