GuLoader Disguised as Estimate Requests Being Distributed via Phishing Email

GuLoader has ranked again in Top 5 malware keywords of ASEC Weekly Malware Statistics for the first time in two years. It is a downloader malware that can download additional malware, and got its name as Google Drive is frequently used as its download URL.

The ASEC analysis team has discovered that this type of malware took the most portion among Downloader malware types that were distributed during the 2nd quarter of this year (see figure below). Recently discovered case took the form of an estimate request for disguise. However, the names of files that are distributed suggest the malware is spread through various phishing forms.

Figure 1. Phishing email used for distributing GuLoader

[Some of the filenames used in distributions]

  • JP181222006.exe
  • Setup.exe
  • PRICE_OF.EXE
  • Remittance Advice.pdf.exe
  • Purchase order_104121_90778_azBRIGHTOK.exe

Whereas previous GuLoader types were packed with Visual Basic language, recent cases were distributed in an NSIS form. When GuLoader is run, it pops up an installer GUI as if it is an installer (see Figure 2).

Figure 2. Created installation window

The malware creates a file in the %appdata%\Bestikkendes8 path. As SetAutoClose value is set as true, the installation window from Figure 2 is automatically closed.

InstType $(LSTR_38) ; Custom
InstallDir $APPDATA\Bestikkendes8
; install_directory_auto_append = Bestikkendes8
; wininit = $WINDIR\wininit.ini

(omitted)

SetAutoClose true
Part of the nsi script

It then runs the internal data after decoding it in the memory. Ultimately, it accesses hxxps://lovelifereboot[.]com/MAKS_ywgAq67.bin to download additional malware. While the files cannot be downloaded now, recent GuLoader types download infostealer and RAT just as the previous versions did.

[Ultimately downloaded malware types]

  • Formbook (Infostealer)
  • AgentTesla (Infostealer)
  • Remcos (RAT)
  • NanoCore (RAT)

As the distribution cases have increased recently, and the distribution of email written in Korean is found, Korean users need to take caution. AhnLab detects and blocks the malware using the following aliases:

[File Detection]
Trojan/Win.GuLoader.C5175436

[IOC Info]
29dae93183c2b0f2eb98db22d3a246dd
hxxps://lovelifereboot[.]com/MAKS_ywgAq67.bin

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments