Threat Research

GuLoader Campaign Targets Law Firms in the US

Securonix

Morphisec reports an active GuLoader (also known as Cloudeye) campaign targeting U.S. law firms, along with healthcare and investment firms, delivering Remcos RAT and other families via cloud hosting. The infection chain begins with a PIN-protected PDF lure, proceeds through a link redirected by DoubleClick, and uses a VBScript/Powershell sequence to fetch and execute the final shellcode. #GuLoader #Cloudeye #Remcos #USLawFirms

Keypoints

  • Active since April, the GuLoader campaign targets U.S. law firms, healthcare, and investment firms.
  • GuLoader (Cloudeye) is a long-running downloader that employs anti-analysis techniques.
  • The campaign uses legitimate cloud hosting and specifically a github.io source to download payloads.
  • Infection chain starts with a PIN-protected PDF lure whose message hints at decryption and leads to VBScript download.
  • The VBScript is obfuscated and triggers a two-stage PowerShell sequence to fetch and run shellcode from github.io.
  • The final shellcode injects into ieinstal.exe and runs Remcos RAT with a decoy PDF visible in the background.
  • Morhisec promotes Automated Moving Target Detection (AMTD) and a defense-in-depth approach against such loaders.

MITRE Techniques

  • [T1566.001] Phishing – The PDF lure is used to entice the user to engage with a locked PIN-protected document. Quote: ‘The PDF attachment appears to be locked and protected with a PIN, which the sender conveniently provides in the email. The lure message within the PDF suggests that the file needs to be decrypted for viewing.’
  • [T1059.005] VBScript – The GuLoader VBScript is used to download and execute further stages. Quote: ‘The GuLoader VBScript is obfuscated and has junk code with random comments—this is how the code looks after omitting the redundant lines.’
  • [T1059.001] PowerShell – The first-stage script decodes and executes a second-stage PowerShell script; the second stage contains XOR-encoded strings to download shellcode. Quote: ‘The Powershell script will decode and execute a 2nd stage Powershell script using the 32-bit version of Powershell.’
  • [T1105] Ingress Tool Transfer – The shellcode is downloaded from github.io, base64 decoded, and split into two parts (Decrypting shellcode and Encrypted shellcode). Quote: ‘decrypting shellcode’ and ‘encrypted shellcode’.
  • [T1055] Process Injection – The shellcode is invoked by passing it to CallWindowProcA with the encrypted shellcode and NtProtectVirtualMemory as arguments. Quote: ‘Next, the shellcode is invoked by passing it as a callback function to CallWindowProcA along with the encrypted shellcode and NtProtectVirtualMemory as arguments.’
  • [T1027] Obfuscated/Compressed Files and Information – The VBScript is obfuscated with junk code, illustrating data and code obfuscation used to hinder analysis. Quote: ‘The GuLoader VBScript is obfuscated and has junk code with random comments…’

Indicators of Compromise

  • [PDF Hash] PDF files – 06b3c92f9718da323c4d3a18d69629696dc5f799a7ddaef4e7415d117b345af4, 2438bfe409fb32b18fca95f95fff85a778502553ce627d0f25e54653c84e0e0c
  • [VBS Hash] VBS – a3855846b501325a4b11cbc27fac9f845a56c91e088edbd75fb5ab651f913ede, 60d70005c38b331cd46b8af0f8e3d8cf181bdf43fb685a1962b1e26e085a6e2a
  • [URL] URLs – quickcheckx[.]github.io/quickme/Udgan.u32, quickcheckx[.]github.io/quickme/KmJiw22.bin
  • [URL] URL – zeusblog[.]cloud/Adobe.pdf
  • [C2] Domains – apdfhost[.]online

Read more: https://blog.morphisec.com/guloader-campaign-targets-law-firms-in-the-us