GuLoader (Guloader) has operated since 2019 as a downloader, distributing via spam with encrypted payloads hosted on cloud services. It commonly delivers AgentTesla, FormBook, and NanoCore, and leverages Google Drive, Microsoft OneDrive, and attacker-controlled sites to store payloads. #GuLoader #Guloader #AgentTesla #FormBook #NanoCore #GoogleDrive #OneDrive #VBScript
Keypoints
- GuLoader has operated since 2019 as a downloader, spreading through spam campaigns with malicious archived attachments and encrypted payloads on cloud storage.
- Payloads typically include AgentTesla, FormBook, and NanoCore, downloaded from Google Drive, OneDrive, and attacker-controlled websites.
- The downloader avoids network detection by using legitimate file-sharing sites that are often not filtered in corporate environments.
- In October 2022, GuLoader campaigns spawned AgentTesla, which is known for stealing data from browsers, FTP clients, and file downloaders.
- GuLoader is delivered packed or encrypted to evade security software and establishes persistence by modifying system settings, creating registry entries, and adding startup items.
- Active for over three years, the latest variants feature anti-analysis techniques and often receive zero detections on VirusTotal.
- The payload is fully encrypted, including PE headers, enabling storage on cloud services to remain available and evade traditional AV protections; earlier versions used VB6 with encrypted shellcode, while newer variants rely on VBScript and NSIS installer-based methods.
MITRE Techniques
- [T1566.001] Phishing: Attachment – “GuLoader spreads through spam campaigns with malicious archived attachments.”
- [T1105] Ingress Tool Transfer – “The encrypted payloads of this downloader are usually saved on Google Drive. It also acquired its payloads from Microsoft OneDrive and an attacker-controlled website.”
- [T1059.005] VBScript – “The VBScript variant, in particular, stores the shellcode on a remote server, further complicating detection and analysis.”
- [T1547.001] Boot or Logon Autostart: Registry Run Keys/Startup Folder – “Once it has successfully installed itself on a system, it will attempt to establish persistence by modifying system settings, creating registry entries, and adding itself to startup items.”
- [T1027] Obfuscated/Compressed Files and Information – “The fully encrypted payload, which includes the PE headers.”
- [T1555.003] Credentials from Web Browsers – “AgentTesla is renowned for stealing data from a variety of target workstations’ apps, including browsers, FTP clients, and file downloaders.”
Indicators of Compromise
- [MD5] GuLoader samples – 0f6332cf27b69c905d1416977371373e, 7d70c0691e2ed8ed946a7f731713fd5f and 5 more hashes
- [SHA-256] GuLoader samples – cb6b6df06cb8d4fdb05eda7ff2e480875efb3b91c54c58f848b1059bda8917bb, 7215c91eac7c5a00db0ca079dff9cdafeaa4e70d235e622f72ad87e4091d606b and 5 more hashes
- [SHA-1] GuLoader samples – 367a54c2fc952b363026b4ea1b896711838fb597, d45b38f21e2cebadd4eae6de377fb2561f4a42b5 and 5 more hashes
Read more: https://www.rewterz.com/threat-advisory/guloader-malspam-campaign-active-iocs-3