Cado Security Labs recently discovered a GuLoader campaign targeting European industrial and engineering companies. GuLoader is an evasive shellcode downloader used to deliver Remote Access Trojans (RAT) that has been used by threat actors since 2019 and continues to advance.
Cado identified a number of spearphishing emails sent to electronic manufacturing, engineering and industrial companies in European countries including Romania, Poland, Germany and Kazakhstan. The emails typically include order inquiries and contain an archive file attachment (iso, 7z, gzip, rar). The emails are sent from various email addresses including from fake companies and compromised accounts. The emails typically hijack an existing email thread or request information about an order.
The first stage of GuLoader is a batch file that is compressed in the archive from the email attachment. As shown in Figure 1, the batch file contains an obfuscated Powershell script, which is done to evade detection.
Figure 1 - Obfuscated Powershell
The obfuscated script contains strings that are deobfuscated through a function “Boendes” (in this sample) that contains a for loop that takes every fifth character, with the rest of the characters being junk. After deobfuscating, the functionality of the script is clearer. These values can be retrieved by debugging the script, however deobfuscating with Script 1 in the Scripts section, makes it easier to read for static analysis.
Figure 2 - Deobfuscated Powershell
This Powershell script contains the function “Aromastofs” that is used to invoke the provided expressions. A secondary file is downloaded from “https://careerfinder[.]ro” and saved as “Knighting.Pro” in the user’s AppData/Roaming folder. The content retrieved from “Kighting.Pro” is decoded from Base64, converted to ASCII and selected from position 324537, with the length 29555. This is stored as “$Nongalactic” and contains more Powershell.
Figure 3 - Second Powershell script
Figure 4 - Deobfuscated Secondary Powershell
As seen in Figure 4, the secondary Powershell is obfuscated in the same manner as before with the function “Boendes”. The script begins with checking which Powershell is being used 32 or 64 bit. If 64 bit is in use, a 32 bit Powershell process is spawned to execute the script, and to enable 32 bit processes later in the chain.
The function named “Brevsprkkernes” is a secondary obfuscation function. The function takes the obfuscated hex string, converts to a byte array, applies XOR with a key of 173 and converts to ASCII. This obfuscation is used to evade detection and analysis more difficult. Again, these values can be retrieved with debugging however for readability, using Script 2 in the Scripts section makes it easier to read.
Figure 5 - Obfuscated Hex Strings
Figure 6 - Deobfuscated Powershell Strings
Figure 7 - Deobfuscated Process Injection
The second Powershell script contains functionality to allocate memory via VirtualAlloc and to execute shellcode. VirtualAlloc is a native Windows API function that allows programs to allocate, reserve, or commit memory in a specified process. Threat actors commonly use VirtualAlloc to allocate memory for malicious code execution, making it harder for security solutions to detect or prevent code injection. The variable “$Bakteriekulturs” contains the bytes that were stored in “AppData/Roaming/Knighting.Pro” and converted from Base64 in the first part of the Powershell Script. Marshall::Copy is used to copy the first 657 bytes of that file, which is the first shellcode. Marshall.Copy is a method that enables the transfer of data between unmanaged memory and managed arrays, allowing data exchange between managed and unmanaged code. Marshal.Copy is typically abused to inject or manipulate malicious payloads in memory, bypassing traditional detection by directly accessing and modifying memory regions used by applications. Marshall::Copy is used again to copy bytes 657 to 323880 as a second shellcode.
Figure 8 - First Shellcode
The first shellcode includes multiple anti-debugging techniques that make static and dynamic analysis difficult. There have been multiple evolutions of GuLoader’s evasive techniques that have been documented. The main functionality of the first shellcode is to load and decrypt the second shellcode. The second shellcode adds the original Powershell script as a Registry Key “Mannas” in HKCU/Software/Procentagiveless for persistence, with the path to Powershell 32 bit executable stored as “Frenetic” in HKCU\Environment; however these values change per sample.
Figure 9 - Registry Key created for Powershell Script
Figure 10 - Powershell 32 bit added to Registry
The second shellcode is injected into the legitimate “msiexec.exe” process and appears to be reaching out to a domain to retrieve an additional payload, however at the time of analysis this request returns a 404. Based on previous research of GuLoader, the final payload is usually a RAT including Remcos, NetWire, and AgentTesla.
Figure 11 - msiexec abused to retrieve additional payload
Guloader malware continues to adapt its techniques to evade detection to deliver RATs. Threat actors are continually targeting specific industries in certain countries. Its resilience highlights the need for proactive security measures. To counter Guloader and other threats, organizations must stay vigilant and employ a robust security plan.
Script 1 to deobfuscate junk characters
|
import re |
Script 2 to deobfuscate hex strings obfuscation (note this will need values changed based on sample)
|
import re |
GuLoader Scripts
| File Name | Sha256 |
|
ZW_PCCE-010023024001.bat |
36a9a24404963678edab15248ca95a4065bdc6a84e32fcb7a2387c3198641374 |
|
ORDER_1ST.bat |
26500af5772702324f07c58b04ff703958e7e0b57493276ba91c8fa87b7794ff |
|
IMG465244247443 GULF ORDER Opmagasinering.cmd |
40b46bae5cca53c55f7b7f941b0a02aeb5ef5150d9eff7258c48f92de5435216 |
|
EXSP 5634 HISP9005 ST MSDS DOKUME74247linierelet.bat |
e0d9ebe414aca4f6d28b0f1631a969f9190b6fb2cf5599b99ccfc6b7916ed8b3 |
|
LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat |
4c697bdcbe64036ba8a79e587462960e856a37e3b8c94f9b3e7875aeb2f91959 |
|
Quotation_final_buy_order_list_2024_po_nos_ART125673211020240000000000024.bat |
661f5870a5d8675719b95f123fa27c46bfcedd45001ce3479a9252b653940540 |
|
MEC20241022001.bat |
33ed102236533c8b01a224bd5ffb220cecc32900285d2984d4e41803f1b2b58d |
|
nMEC20241022001.iso |
9617fa7894af55085e09a06b1b91488af37b8159b22616dfd5c74e6b9a081739 |
|
Gescanneerde lijst met artikelen nr. 654398.bat |
f5feabf1c367774dc162c3e29b88bf32e48b997a318e8dd03a081d7bfe6d3eb5 |
|
DHL_Shipping_Invoices_Awb_BL_000000000102220242247820020031808174Global180030010222024.cmd |
f78319fcb16312d69c6d2e42689254dff3cb875315f7b2111f5c3d2b4947ab50 |
|
Order Confirmation.bat |
949cdd89ed5fb2da03c53b0e724a4d97c898c62995e03c48cbd8456502e39e57 |
|
SKM_0001810-01-2024-GL-3762.bat |
9493ad437ea4b55629ee0a8d18141977c2632de42349a995730112727549f40e |
|
21102024_0029_18102024_SKM_0001810-01-2024-GL-3762.iso |
535dd8d9554487f66050e2f751c9f9681dadae795120bb33c3db9f71aafb472c |
|
\Device\CdRom1\MARSS-FILTRY_ZW015010024.BAT |
e5ebe4d8925853fc1f233a5a6f7aa29fd8a7fa3a8ad27471c7d525a70f4461b6 |
|
Myologist.cmd |
51244e77587847280079e7db8cfdff143a16772fb465285b9098558b266c6b3f |
|
SKU_0001710-1-2024-SX-3762.bat |
643cd5ba1ac50f5aa2a4c852b902152ffc61916dc39bd162f20283a0ecef39fe |
|
Stamcafeernes.cmd |
54b8b9c01ce6f58eb6314c67f3acb32d7c3c96e70c10b9d35effabb7e227952e |
|
C:\Users\user\AppData\Local\Temp\j4phhdbc.lti\Bank details Form.bat |
c1f810194395ff53044e3ef87829f6dff63a283c568be4a83088483b6c043ec8 |
|
SKGCRO COMANDA FAB SRL M60_647746748846748347474.bat |
8dd5fd174ee703a43ab5084fdaba84d074152e46b84d588bf63f9d5cd2f673d1 |
|
DHL_Shipping_Invoices_Awb_BL_000000000101620242247820020031808174Global180030010162024.bat |
bde5f995304e327d522291bf9886c987223a51a299b80ab62229fcc5e9d09f62 |
|
Ciwies.cmd |
b1be65efa06eb610ae0426ba7ac7f534dcb3090cd763dc8642ca0ede7a339ce7 |
|
Zamówienie Agotech Begyndelsesord.cmd |
18c0a772f0142bc8e5fb0c8931c0ba4c9e680ff97d7ceb8c496f68dea376f9da |
|
SKM_0001810-01-2024-GL-3762.iso |
4a4c0918bdacd60e792a814ddacc5dc7edb83644268611313cb9b453991ac628 |
|
C:\Users\user\AppData\Local\Temp\Stemmeslugerens.bat |
8bedbdaa09eefac7845278d83a08b17249913e484575be3a9c61cf6c70837fd2 |
|
Agotech Zamówienie Fjeldkammes325545235562377.bat |
ff6c4c8d899df66b551c84124e73c1f3ffa04a4d348940f983cf73b2709895d3 |
|
Agotech Zamówienie Fjeldkammes3255452355623.bat |
f3e046a7769b9c977053dd32ebc1b0e1bbfe3c61789d2b8d54e51083c3d0bed5 |
|
SKU_0001710-1-2024-SX-3762.iso |
0546b035a94953d33a5c6d04bdc9521b49b2a98a51d38481b1f35667f5449326 |
|
SKU_0001710-1-2024-SX-3762.bat |
4f1b5d4bb6d0a7227948fb7ebb7765f3eb4b26288b52356453b74ea530111520 |
|
DOKUMENTEN_TOBIAS.bat |
038113f802ef095d8036e86e5c6b2cb8bc1529e18f34828bcf5f99b4cc012d6a |
|
IMEG238668289485293885823085802835025Urfjeld.bat |
6977043d30d8c1c5024669115590b8fd154905e01ab1f2832b2408d1dc811164 |
|
SKM_C250i24100408500.iso |
6370cbcb1ac3941321f93dd0939d5daba0658fb8c85c732a6022cc0ec8f0f082 |
|
SKU_0001710-1-2024-SX-3762.iso |
7f06382b781a8ba0d3f46614f8463f8857f0ade67e0f77606b8d918909ad37c2 |
|
\Device\CdRom1\ORDINE ELECTRICAS BC CORP PO EDC0969388.BAT |
e98fa3828fa02209415640c41194875c1496bc6f0ca15902479b012243d37c47 |
|
Quote Request #2359 Bogota.msg |
0f0dfe8c5085924e5ab722fa01ea182569872532a6162547a2e87a1d2780f902 |
|
ORDER.1ST.bat |
48dca5f3a12d3952531b05b556c30accafbf9a3c6cda3ec517e4700d5845ab61 |
|
Fortryl105.cmd |
f43b78e4dc3cba2ee9c6f0f764f97841c43419059691d670ca930ce84fb7143b |
|
SMX-0002607-1-2024-UP-3762.iso |
a60dbbe88a1c4857f009a3c06a2641332d41dfd89726dd5f2c6e500f7b25b751 |
|
Quotation_final_buy_order_list_2024_po_nos_ART1256731610202400000000000.cmd |
efd80337104f2acde5c8f3820549110ad40f1aa9b494da9a356938103bda82e7 |
|
a60dbbe88a1c4857f009a3c06a2641332d41dfd89726dd5f2c6e500f7b25b751.iso |
0327db7b754a16a7ae29265e7d8daed7a1caa4920d5151d779e96cd1536f2fbe |
|
MARSS-FILTRY_ZW015010024.iso |
c415127bde80302a851240a169fff0592e864d2f93e9a21c7fd775fdb4788145 |
|
SKM_C250i24100408500.bat |
36c464519a4cce8d0fcdb22a8974923fd51d915075eba9e62ade54a9c396844d |
|
UPM-0002607-1-2024-UP-3762.iso |
e9fc754844df1a7196a001ac3dfbcf28b80397a718a3ceb8d397378a6375ff62 |
|
Comanda KOMARON TRADE SRL 435635Lukketid.bat |
1bf09bcb5bfa440fc6ce5c1d3f310fb274737248bf9acdd28bea98c9163a745a |
|
311861751714730477170144.bat |
f87448d722e160584e40feaad0769e170056a21588679094f7d58879cdb23623 |
|
Estimate_buy_product_purchase_order_import_list_10_10_2024_000000101024.cmd |
f20670ed0cdc2d9a2a75884548e6e6a3857bbf66cfbfb4afe04a3354da9067c9 |
|
PAYMENT TERM.bat |
4c90504c86f1e77b0a75a1c7408adf1144f2a0e3661c20f2bf28d168e3408429 |
|
Arbitrre.cmd |
8ef4cb5ad7d5053c031690b9d04d64ba5d0d90f7bf8ba5e74cb169b5388e92c5 |
|
KZЗапрос продукта SKM_32532667622352352Arvehygiejnikernes.bat |
4ddd3369a51621b0009b6d993126fcb74b52e72f8cacd71fcbc401cda03108cb |
|
Order_AP568.bat |
fda4e04894089be87f520144d8a6141074d63d33b29beb28fd042b0ecc06fbbc |
|
C:\Users\user\Documents\ConnectWiseControl\Temp\Blodprocenternes.cmd |
e5f5d9855be34b44ad4c9b1c5722d1a6dff2f4a6878a874df1209d813aea7094 |
|
Productivenesses.cmd |
a7268e906b86f7c1bb926278bf88811cb12189de0db42616e5bbb3dc426a4ef5 |
|
Doktriner.cmd |
74d468acd0493a6c5d72387c8e225cc0243ae1a331cd1e2d38f75ed8812347dd |
|
final_buy_product_purchase_order_import_list_11_10_2024_000000111024.cmd |
a2127d63bc0204c17d4657e5ae6930cab6ab33ae3e65b82e285a8757f39c4da9 |
|
ORDER_U769.bat |
b45d9b5dbe09b2ca45d66432925842b0f698c9d269d3c7b5148cc26bdc2a92d0 |
|
Beschwerde-Rechtsanwalt.bat |
229c4ce294708561801b16eed5a155c8cfe8c965ea99ac3cfb4717a35a1492f3 |
|
upit nr5634 10_08_2024.cmd |
5854d9536371389fb0f1152ebc1479266d36ec4e06b174619502a6db1b593d71 |
|
C:\Users\user\AppData\Local\Temp\Doktriner.cmd |
140dcb39308d044e3e90610c65a08e0abc6a3ac22f0c9797971f0c652bb29add |
|
Fedtsyresammenstning.cmd |
0b1c44b202ede2e731b2d9ee64c2ce333764fbff17273af831576a09fc9debfa |
|
HENIKENPLANT PROJECT PROPOSAL BID_24-0976·pdf.cmd |
31a72d94b14bf63b07d66d023ced28092b9253c92b6e68397469d092c2ffb4a6 |
|
MAIN ORDER.bat |
85d1877ceda7c04125ca6383228ee158062301ae2b4e4a4a698ef8ed94165c7c |
|
Narudzba ACH0036173.bat |
8d7324d66484383eba389bc2a8a6d4e9c4cb68bfec45d887b7766573a306af68 |
|
Sludger.cmd |
45b7b8772d9fe59d7df359468e3510df1c914af41bd122eeb5a408d045399a14 |
|
Glasmester.bat |
b0e69f895f7b0bc859df7536d78c2983d7ed0ac1d66c243f44793e57d346049d |
|
PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.cmd |
09a3bb4be0a502684bd37135a9e2cbaa3ea0140a208af680f7019811b37d28d6 |
|
C:\Users\user\Documents\ConnectWiseControl\Temp\Bidcock.cmd |
0996e7b37e8b41ff0799996dd96b5a72e8237d746c81e02278d84aa4e7e8534e |
|
PO++380.101483.bat |
a9af33c8a9050ee6d9fe8ce79d734d7f28ebf36f31ad8ee109f9e3f992a8d110 |
Network IOCs
91[.]109.20.161
137[.]184.191.215
185[.]248.196.6
https://filedn[.]com/lK8iuOs2ybqy4Dz6sat9kSz/Frihandelsaftalen40.fla
https://careerfinder[.]ro/vn/Traurigheder[.]sea
http://inversionesevza[.]com/wp-includes/blocks_/Dekupere.pcz
https://rareseeds[.]zendesk[.]com/attachments/token/G9SQnykXWFAnrmBcy8MzhciEs/?name=PO++380.101483.bat
Yara Rule
|
rule GuLoader_Obfuscated_Powershell { meta: description = "Detects Obfuscated GuLoader Powershell Scripts" author = "tgould@cadosecurity.com" date = "2024-10-14" strings: $hidden_window = { 7374617274202f6d696e20706f7765727368656c6c2e657865202d77696e646f777374796c652068696464656e2022 } $for_loop = /for\s*\(\s*\$[a-zA-Z0-9_]+\s*=\s*\d+;\s*\$[a-zA-Z0-9_]+\s*-lt\s*\$[a-zA-Z0-9_]+\s*;\s*\$[a-zA-Z0-9_]+\s*\+=\s*\d+\s*\)/ condition: $for_loop and $hidden_window } |
|
ID |
Technique |
|
T1566.001 |
Phishing: Malicious Attachment |
|
T1055 |
Process Injection |
|
T1204.002 |
User Execution: Malicious File |
|
T1547.001 |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
|
T1140 |
Deobfuscate/Decode Files or Information |
|
T1622 |
Debugger Evasion |
|
T1001.001 |
Junk Code |
|
T1105 |
Ingress Tool Transfer |
|
T1059.001 |
Command and Scripting Interpreter: Powershell |
|
T1497.003 |
Virtualization/Sandbox Evasion: Time Based Evasion |
|
T1071.001 |
Application Layer Protocol: Web Protocols |