GuLoader (GULoader) campaigns deploy a highly evasive shellcode-based loader using NSIS-based installers delivered via malspam, incorporating XOR-encoded payloads and anti-analysis tricks. The article outlines a three-stage infection chain—shellcode deployment, environment checks with Vectored Exception Handling and process hollowing for code injection, and final payload deployment (Vidar, Raccoon, Remcos) from a CDN.
Keypoints
- The campaigns use NSIS scriptable installers packed with malicious assets and junk data to evade detection, delivered via malspam.
- The NSIS archive contains an encoded GULoader shellcode that is XOR-encoded and padded with junk data for anti-analysis.
- A DLL-based loader drops two DLLs in the user’s TEMP folder, with one consistently named system.dll and the other varying.
- The loader uses Vectored Exception Handling (VEH) to hijack execution flow and to thwart analysis, including detailed handler logic and EIP manipulation.
- Stage 2 performs extensive anti-analysis checks (runtime padding, QEMU detection, string decoding, API resolution) before injecting into a new process.
- Stage 3 deploys the final payload by decoding a CDN-delivered module, using quasi-key generation and memory mapping into a remote process, often loading Vidar/Raccoon/Remcos families.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Malspam delivery of NSIS installers to execute the GU shellcode on victims. Quote: ‘NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system.’
- [T1027] Obfuscated/Compressed Files and Information – Junk data used for AV evasion and XOR-encoded shellcode. Quote: ‘junk data is used as Anti-AV / AV Evasion technique. … it’s a simple XOR encoding.’
- [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks, including sandbox/VM detection (e.g., QEMU), to avoid analysis. Quote: ‘Checks if qemu is installed on the system by checking the installation path.’
- [T1036] Masquerading – File names within the loader suggest legitimate-looking names (e.g., system.dll) to hide malicious activity. Quote: ‘Two DLL files are dropped in user’s TEMP directory, in all analyzed samples one DLL has a consistent name of system.dll and name of the other one varies.’
- [T1055.012] Process Hollowing – Stage 2 describes a variation of the process hollowing technique where a benign process is spawned in a suspended state and overwritten with malicious content. Quote: ‘variation of the process hollowing technique, where a benign process is spawned in a suspended state by the malware stager process and proceeds to overwrite the original content present in the suspended process with malicious content.’
Indicators of Compromise
- [Hash] 889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56 – Final payloads observed in GULoader campaigns.
- [Hash] 59b71cb2c5a14186a5069d7935ebe28486f49b7961bddac0a818a021373a44a3 – Another loader-related artifact found in samples.
- [Hash] 4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2 – Additional payload decodings observed.
- [Hash] c8006013fc6a90d635f394c91637eae12706f58897a6489d40e663f46996c664 – Encoded shellcode and final payloads tracked.
- [Hash] c69e558e5526feeb00ab90efe764fb0b93b3a09692659d1a57c652da81f1d123 – Embedded key / quasi-key generation artifacts.
- [Hash] 45156ac4b40b7537f4e003d9f925746b848a939b2362753f6edbcc794ea8b36a – Final PE payload memory-resident in target process.
- [Hash] e68ce815ac0211303d2c38ccbb5ccead144909d295230df4b7a419dfdea12782 – XOR-encoded data and decoding routines observed.
- [Hash] b24b36641fef3acbf3b643967d408b10bf8abfe1fe1f99d704a9a19f1dfc77e8 – Additional IOCs tied to loader stages.
- [Hash] 569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcb – CDN-delivered payload indicators.
- [Hash] 60de2308ebfeadadc3e401300172013be27af5b7d816c49696bb3dedc208c54e – Memory regions and shellcode buffers observed during stage 3.
- [Hash] 23458977440cccb8ac7d0d05c238d087d90f5bf1c42157fb3a161d41b741c39d – Additional shellcode and IAT relocation artifacts.
- [File] system.dll – DLL dropped in TEMP; used to allocate memory and deploy shellcode. Quote: ‘The system.dll has the following exports as shown in the image below. The function named “Call” is being used to deploy the shellcode on victim’s system’.
- [File] CasPol.exe – Process into which stage 3 shellcode is injected and executed. Quote: ‘The shellcode is injected into the remote CasPol.exe process to initiate stage 3.’
- [File] iertutil.dll – Loaded to back a memory section for Stage 3. Quote: ‘The Gu loader retrieves a handle to the file “C:WindowsSysWOW64iertutil.dll” which is used in section creation.’
- [File] psapi.dll – Referenced in code that identifies function addresses during shellcode decoding. Quote: ‘psapi.dll … this string is used in fetching addresses of various functions to employ anti-analysis.’
- [Process] CasPol.exe (stage 2/3 host process) – Used as the target for memory mapping and shellcode execution. Quote: ‘The final payload resumes execution from within the hollowed stage3 process.’
- [URL] CDN server – Used to deliver the final payload (2E640 bytes size). Quote: ‘The response from the content delivery network (cdn) server where the final payload is stored.’