Malware Phishing/Scam

GuLoader Disguised as Estimate Requests Being Distributed via Phishing Email

  • Jul 01 2022
GuLoader Disguised as Estimate Requests Being Distributed via Phishing Email

GuLoader has ranked again in Top 5 malware keywords of ASEC Weekly Malware Statistics for the first time in two years. It is a downloader malware that can download additional malware, and got its name as Google Drive is frequently used as its download URL.

ASEC Weekly Malware Statistics (June 20th, 2022 – June 26th, 2022)

The ASEC analysis team has discovered that this type of malware took the most portion among Downloader malware types that were distributed during the 2nd quarter of this year (see figure below). Recently discovered case took the form of an estimate request for disguise. However, the names of files that are distributed suggest the malware is spread through various phishing forms.

 

[Some of the filenames used in distributions]

  • JP181222006.exe
  • Setup.exe
  • PRICE_OF.EXE
  • Remittance Advice.pdf.exe
  • Purchase order_104121_90778_azBRIGHTOK.exe

Whereas previous GuLoader types were packed with Visual Basic language, recent cases were distributed in an NSIS form. When GuLoader is run, it pops up an installer GUI as if it is an installer (see Figure 2).

 

The malware creates a file in the %appdata%\Bestikkendes8 path. As SetAutoClose value is set as true, the installation window from Figure 2 is automatically closed.

InstType $(LSTR_38) ; Custom
InstallDir $APPDATA\Bestikkendes8
; install_directory_auto_append = Bestikkendes8
; wininit = $WINDIR\wininit.ini

(omitted)

SetAutoClose true

Part of the nsi script

 

 

It then runs the internal data after decoding it in the memory. Ultimately, it accesses hxxps://lovelifereboot[.]com/MAKS_ywgAq67.bin to download additional malware. While the files cannot be downloaded now, recent GuLoader types download infostealer and RAT just as the previous versions did.

[Ultimately downloaded malware types]

  • Formbook (Infostealer)
  • AgentTesla (Infostealer)
  • Remcos (RAT)
  • NanoCore (RAT)

As the distribution cases have increased recently, and the distribution of email written in Korean is found, Korean users need to take caution. AhnLab detects and blocks the malware using the following aliases:

[File Detection]
Trojan/Win.GuLoader.C5175436

 

MD5

29dae93183c2b0f2eb98db22d3a246dd
URL

https[:]//lovelifereboot[.]com/MAKS_ywgAq67[.]bin

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.

Tags:
Previous Post

Next Post