GuLoader: Evolving Tactics in Latest Campaign Targeting European Industry

MITRE Techniques

• [T1566.001] Phishing: Malicious Attachment – Used via spearphishing emails with archive attachments to gain initial access. ‘The emails typically include order inquiries and contain an archive file attachment (iso, 7z, gzip, rar).’
• [T1055] Process Injection – The second shellcode is injected into the legitimate ‘msiexec.exe’ process to execute payloads. ‘The second shellcode is injected into the legitimate msiexec.exe process and appears to be reaching out to a domain to retrieve an additional payload.’
• [T1204.002] User Execution: Malicious File – The first stage is a batch file compressed in the archive from the email attachment. ‘The first stage of GuLoader is a batch file that is compressed in the archive from the email attachment.’
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The second shellcode adds the original PowerShell script as a Registry Key ‘Mannas’ in HKCU/Software/Procentagiveless for persistence, with the path to PowerShell 32 bit executable stored as ‘Frenetic’ in HKCU\Environment. ‘the second shellcode adds the original PowerShell script as a Registry Key “Mannas” in HKCU/Software/Procentagiveless for persistence, with the path to PowerShell 32 bit executable stored as “Frenetic” in HKCU\Environment;’
• [T1140] Deobfuscate/Decode Files or Information – Obfuscated PowerShell strings are deobfuscated through functions like Boendes to reveal later stages. ‘The obfuscated script contains strings that are deobfuscated through a function “Boendes”… After deobfuscating, the functionality of the script is clearer.’
• [T1622] Debugger Evasion – The malware employs anti-debugging techniques to hinder analysis. ‘The first shellcode includes multiple anti-debugging techniques that make static and dynamic analysis difficult.’
• [T1001.001] Junk Code – Obfuscation includes junk code to impede analysis. ‘Junk Code’
• [T1105] Ingress Tool Transfer – The second stage reaches out to a domain to retrieve an additional payload. ‘the second shellcode is injected into… and appears to be reaching out to a domain to retrieve an additional payload’
• [T1059.001] Command and Scripting Interpreter: Powershell – The campaign uses PowerShell scripts for the loader and additional payloads. ‘This Powershell script contains the function “Aromastofs” that is used to invoke the provided expressions.’
• [T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion – The campaign employs time-based evasion tactics to evade analysis. ‘Virtualization/Sandbox Evasion: Time Based Evasion’
• [T1071.001] Application Layer Protocol: Web Protocols – The loader communicates over web protocols to fetch the final payload. ‘Application Layer Protocol: Web Protocols’