A recent report from cybersecurity researchers at Morphisec Labs has shed light on the ongoing GuLoader campaign targeting law firms in the US. The researchers have been monitoring the campaign since April and have identified the law firms along with healthcare and investment firms as the primary targets.
GuLoader, also known as ‘Cloudeye’, has been active for over three years and continues to evolve, presenting challenges for security analysts trying to analyze it. It is notorious for distributing various malware families, including NetWire, Lokibot, Xloader, and Remcos.
The campaign involves the use of trusted platforms such as Google Drive, OneDrive, and GCloud to download the payload. In this specific instance, the operators of GuLoader utilized ‘github.io’ as the download source to deliver the Remcos RAT, a remote access trojan.
The infection chain begins with an encrypted PDF attachment sent via email, along with a PIN for decryption. The victim is enticed to click on an embedded icon within the PDF, initiating the process. Once clicked, the user is redirected to a final URL through Google’s adclick service, DoubleClick, which is commonly used in online ads for tracking and gathering statistics on user clicks.
At the redirected URL, the user is prompted to enter the PIN provided earlier. After entering the PIN, a GuLoader VBScript is downloaded for further execution. The VBScript contains obfuscation, random comments, and redundant lines to hinder analysis. The resulting code decodes and executes a PowerShell script.
Using the 32-bit version of PowerShell, the script decodes and runs a second-stage PowerShell script. This script contains XOR-encoded strings responsible for downloading the GuLoader shellcode. The shellcode is split into two parts: a decrypting shellcode and an encrypted shellcode. The shellcode’s main role is to inject the final payload into the ‘ieinstal.exe’ process by downloading and decrypting it.
Additionally, the shellcode opens a malicious PDF file, triggering and running the Remcos RAT in the background. Interestingly, the PDF file displays a “404 Page not found” error, adding another layer of deception to the campaign.
What sets this campaign apart is that GuLoader typically fetches payloads from cloud hosting platforms, but in this case, it used a regular URL. This demonstrates the adaptability and sophistication of the malware loader.
It is crucial for organizations, especially law firms, to be aware of this ongoing campaign and take necessary measures to protect their systems and sensitive data. Implementing robust cybersecurity solutions and educating employees about email security best practices can help mitigate the risk of falling victim to GuLoader and other similar threats.
Overall, the GuLoader campaign targeting law firms in the US highlights the persistent and evolving nature of cyber threats. It serves as a reminder for organizations to remain vigilant and proactive in their cybersecurity efforts to safeguard against increasingly sophisticated attacks.