GuLoader Malware Disguised as a Word File Being Distributed in Korea

The ASEC analysis team has discovered that the GuLoader malware is being distributed to Korean corporate users. GuLoader is a downloader that has been steadily distributed since the past, downloading various malware. The phishing mail being distributed is as follows, and has an HTML file attached.

Phishing mail

When the user opens the attached HTML file, a compressed file is downloaded from the URL below.

  • Download URL
HTML code

The compressed file contains an IMG file and the GuLoader malware is inside this IMG file.

Inside the compressed file

GuLoader is disguised as a Word icon and a Null value of about 600MB in size is added to the end of the file.

Actual size (left), distributed file size (right)

It is in the same NSIS format as the GuLoader that has been introduced in the ASEC blog in July, but changes have been made to the NSIS script’s features in the GuLoader that is currently being distributed. The previous NSIS Script had some strings with the names of the DLL and API that it calls, while the new NSIS Script had all the relevant strings removed to bypass detection.

Previous NSIS script

The removed strings are encoded in a particular file. Out of the files generated upon execution of the NSIS file, the “Udmeldt.Ext” file is a shellcode to be loaded later, and the “Modig.Sta0” file is encoded with the names of the DLL and API to be called. The following NSIS script shows the process of the strings being decoded.

Modified NSIS script (1)

First, to call API, XOR is performed from the Modig.Sta0 file’s data in 12278(0x2FF6).

Modified NSIS script (2)

The decoded data is as follows, and it calls the API in order.

Modified NSIS script (3)

When the API is called in order, the “Udmeldt.Ext” file’s data in 21200(0x52D0) is loaded onto the allocated memory before being executed. The data loaded at this point performs the actual malicious behavior.

The shellcode to be loaded
The loaded shellcode

The loaded GuLoader executes a normal process in the “C:\program files\internet explorer\ieinstal.exe” path before injecting malicious data. The injected normal process connects to the URL below and attempts to download additional malware. Download is not available at the current moment, but it can download infostealers and RAT types of malware, including Formbook, RedLine, and AgentTesla.

  • Download URL
    hxxp:// 45.137.117[.]184/riBOkPd173.mix

The downloader malware GuLoader is continuously being modified and distributed to bypass detection. Caution is advised as it is targeting Korean users, and users should not open attachments in emails from unknown sources. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]
Downloader/HTML.Generic.SC183804 (2022.10.11.03)
Trojan/Win.Agent.C5275941 (2022.10.11.03)

hxxp:// 45.137.117[.]184/riBOkPd173.mix

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments

[…] Researchers recently identified the GuLoader malware being delivered to Korean corporate users. GuLoader is a downloader that has been widely circulated in the past for the purpose of downloading different infections. An HTML file is included to the phishing email. […]