GuLoader: The NSIS Vantage Point

GuLoader is an advanced shellcode downloader that uses anti-analysis tricks to evade detection and hinder reverse engineering, and its campaign remains ongoing through 2022. Trellix observed threat actors increasingly delivering GuLoader via NSIS-based installers embedded in archives and ISO images to target e-commerce organizations in South Korea and the United States. #GuLoader #NSIS #SouthKorea #UnitedStates #AgentTesla

Keypoints

GuLoader is an advanced shellcode downloader employing anti-analysis techniques to evade detection and complicate reverse engineering.
The campaign targeted Trellix customers in the e-commerce sector in South Korea and the United States.
threat actors used varied archives and ISO images to embed NSIS executables, aiding delivery and evasion.
Early campaigns relied on Word macros dropping LNK and VBS to eventually execute GuLoader; subsequent campaigns moved to NSIS loaders.
NSIS loader code evolved from straightforward scripts to obfuscated, XOR-decoded payloads with random file extensions and garbage code.
GuLoader’s payloads vary and may include AgentTesla, LokiBot, NanoCore RAT, NetWire RAT, or other families downloaded by the loader.

MITRE Techniques

[T1566.001] Spearphishing Attachment – The zip file contains a Word Document with a macro; The macro drops a shortcut LNK and a VBS script. The VBS script drops a PE file and then the PE file loads the GuLoader shellcode to download a payload. “The zip file contains a Word Document with a macro. The macro drops a shortcut LNK and a VBS script. The VBS script drops a PE file and then the PE file loads the GuLoader shellcode to download a payload.”
[T1036] Masquerading – In another variant, the NSIS executable file is embedded in a zip file and an ISO image, and it pretends to be a sales inquiry for a quotation of products. “In another variant, the NSIS executable is embedded in an ISO image, and it pretends to be a sales inquiry for a quotation of products.”
[T1027] Obfuscated/Compressed Files and Information – The NSIS scripts were obfuscated; the shellcode decoding evolved with XOR, random extensions, and concatenation of encrypted data. “The NSIS scripts were obfuscated. The shellcode filename extension was changed from .dat to a random filename extension. The obfuscated NSIS script introduced an XOR operation to decrypt another stage of NSIS code and garbage code were inserted.”
[T1059] Command and Scripting Interpreter – One-line commands with powershell.exe or cmd.exe to perform the XOR decoding of the payload. “one-line commands with powershell.exe or cmd.exe to perform the XOR decoding of the payload.”
[T1055] Process Injection – The second stage NSIS code calls CreateFileA, VirtualAlloc, ReadFile and CallWindowProcW to run the GuLoader shellcode. “the second stage NSIS code calls CreateFileA, VirtualAlloc, ReadFile and CallWindowProcW to run the GuLoader shellcode.”
[T1105] Ingress Tool Transfer – The payload is downloaded by GuLoader via its shellcode; the PE loads the GuLoader shellcode to download a payload, and the payload can be various families. “The payload to be downloaded by GuLoader varies, and potentially it might be AgentTesla, LokiBot, NanoCore RAT, NetWire RAT or a different malware family.”

Indicators of Compromise

[URL] GuLoader payload URLs – https[:]//staninnovationgroupllc[.]com/MYFORMBOOK_eyHVNu169[.]bin, https[:]//drive[.]google[.]com/uc?export=download&id=1ffapdpLWKae2MES2ltCw9RdNejEAZDAQ, and other URLs
[Domain] GuLoader domains – staninnovationgroupllc[.]com, drive[.]google[.]com
[IP] GuLoader delivery IPs – 91[.]245[.]255[.]55, 37[.]120[.]222[.]192
[MD5] GuLoader hashes – bd8d50eacc2cb7c6759fa5a62791e8d0, bffd0312e6151472c32be6dea6897b50, and other hashes
[File Name] GuLoader payload filenames – MYFORMBOOK_eyHVNu169[.]bin, texas_TYBnb22[.]bin, and other filenames

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print