Fortinet FortiGuard Labs analyzed a phishing email spoofing a Saudi Arabian oil company that lures a Ukrainian coffee company into downloading a GuLoader ISO via OneDrive. The static analysis shows the ISO contains a GuLoader NSIS installer with decoys and obfuscated components, setting the stage for further malware deployment (with dynamic analysis to be covered in Part 2). #GuLoader #NSIS
Keypoints
- The phishing email pretends to be from a Saudi oil company and uses a OneDrive link to deliver malware, illustrating a common lure pattern around purchse orders/invoices.
- The downloaded file is an ISO (PO#23754-1.ISO) that mounts to reveal an NSIS-based installer (PO#23754-1.exe) designed to deploy GuLoader.
- GuLoader is a downloader/loader often used to deploy other malware families (Agent Tesla, Formbook, Lokibot) and is loaded via NSIS in this case.
- The NSIS script and related artifacts reveal decoys and encoded components (e.g., rudesbies.Par) intended to hinder analysis and tracing.
- A forged digital signature and untrusted root indicate attempts to mislead defenders about the file’s legitimacy.
- Fortinet protections and user-training offerings are highlighted as defenses against phishing and malware delivery.
MITRE Techniques
- [T1566.003] Phishing: Spearphishing via Service – The email delivered through a OneDrive cloud storage location. ‘The embedded “document” is instead a hypertext-linked image that connects to a Microsoft OneDrive cloud storage location.’
- [T1105] Ingress Tool Transfer – The ISO is downloaded from OneDrive, delivering the payload. ‘the file “PO#23754-1.ISO” is downloaded.’
- [T1027] Obfuscated/Compressed Files and Information – The NSIS/Par content is heavily encoded and obfuscated to hinder analysis. ‘the file is heavily encoded and therefore obfuscated from reading without further processing.’
- [T1547.001] Registry Run Keys/Startup Folder – The NSIS script creates a registry key to facilitate persistence. ‘creates the registry key “HKCU SoftwarestemningsfulderesDISINTENSIFI “Expand String Value” %WINDIR%PARALLELIZING.log”’
- [T1055] Process Injection – The NSIS script reads rudesbies.Par into memory and uses Windows API calls to interact with memory and windows. ‘The script wishes to read “rudesbies.Par” into a memory buffer and then checks to see if a window exists for it. The calls are made to “System.dll”’
Indicators of Compromise
- [Domain] zoneofzenith.com – used in the From header of the phishing email; zoneofzenith[.]com shown in the article
- [Domain] bounceclick.live – network delivery domain for the payload link
- [Email Address] info@zoneofzenith[.]com – from field in the spoofed email
- [Filename] PO#23754-1.ISO, PO#23754-1.exe – downloaded/received artifacts
- [SHA256] c4debff9c0ec8a56aea5cd97215c6c906bd475ea8bd521fb9a346a4c992a0448, 14d52119459ef12be3a2f9a3a6578ee3255580f679b1b54de0990b6ba403b0fe – hashes for the ISO and EXE respectively
- [Filename] rudesbies.Par – a component stored inside the NSIS deployment (and later analyzed)
Read more: https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader