GUloader is a stealthy malware loader that evades detection through polymorphic code and encryption, enabling persistent infiltration. McAfee Labs details a campaign where a malicious SVG file delivered via email drops a ZIP containing a WSF, which via PowerShell fetches hosted content and injects shellcode into MSBuild to drop additional payloads. #GUloader #WSF #PowerShell #MSBuild #ProcessHollowing #SVG #EquitablyMix #WindersWonders #McAfeeLabs
Keypoints
- GUloader uses evasion techniques, including polymorphic code and encryption, to avoid detection.
- A malicious SVG file delivered by email acts as the initial lure for infection.
- The SVG chain drops a ZIP that contains a Windows Script File (WSF) used to execute further stages.
- The WSF invokes PowerShell to connect to a malicious domain and retrieve hosted content.
- Shellcode is injected into the MSBuild process via Process Hollowing, enabling persistence and execution.
- The final stage downloads and executes additional malware variants, with persistence via a registry Run key.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – A recipient receives a spam email that contains malware embedded in archived attachments. ‘A recipient receives a spam email that contains malware embedded in archived attachments.’
- [T1059.007] Windows Script – The WSF script employs several techniques to make analysis quite difficult. ‘The WSF script employs several techniques to make analysis quite difficult.’
- [T1059.001] PowerShell – PowerShell is invoked to establish a connection with a malicious domain and execute the hosted content. ‘establish a connection with a malicious domain and execute the hosted content.’
- [T1132] Data Encoding – The content is base64-encoded and decoded to reveal shellcode and a PowerShell script. ‘host base64-encoded content, which, after decoding, contains shellcode and a PowerShell script.’
- [T1027] Obfuscated/Compressed Files and Information – The WSF script is obfuscated to hinder analysis. ‘obfuscated WSF Script.’
- [T1055.012] Process Hollowing – The PowerShell output loads shellcode into the MSBuild process using Process Hollowing. ‘theshellcode executes … using the Process Hollowing technique.’
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence via modifying the Run key in the Registry. ‘modifies the Registry run key to achieve persistence.’
- [T1105] Ingress Tool Transfer – The final malicious executable is downloaded and executed. ‘download and execute the final malicious executable.’
- [T1071.001] Web Protocols – The malware communicates with a malicious domain to fetch and execute hosted content. ‘connect with a malicious domain and execute the hosted content.’
- [T1497.001] Virtualization/Sandbox Evasion – Anti-analysis checks are performed to hinder analysis. ‘anti-analysis check.’
Indicators of Compromise
- [Email] Malicious email attachment hash – 66b04a8aaa06695fd718a7d1baa19386922b58e797634d5ac4ff96e79584f5c1
- [File Hash] SVG – b20ea4faca043274bfbb1f52895c02a15cd0c81a333c40de32ed7ddd2b9b60c0
- [File Hash] WSF – 0a196171571adc8eb9edb164b44b7918f83a8425ec3328d9ebbec14d7e9e5d93
- [File Name] dhgle-Skljdf.svg – SVG file name embedded in the attack chain
- [URL] hxxps://winderswonders[.]com/JK/Equitably[.]mix
- [Domain] winderswonders.com – Malicious domain referenced in the campaign