GuLoader Malware Disguised as Tax Invoices and Shipping Statements (Detected by MDS Products)

AhnLab Security Emergency response Center (ASEC) has identified circumstances of GuLoader being distributed as attachments in emails disguised with tax invoices and shipping statements. The recently identified GuLoader variant was included in a RAR (Roshal Archive Compressed) compressed file. When a user executes GuLoader, it ultimately downloads known malware strains such as Remcos, AgentTesla, and Vidar.

Figure 1. An email disguised as a tax invoice (GuLoader)
Figure 2. An executable file within the doc 00499892998.exe compressed file (GuLoader)

AhnLab’s MDS products provide a Mail Transfer Agent (MTA) feature to block malware distributed via email. Figure 3 below shows the GuLoader malware detection report screen of AhnLab MDS. In this case, the GuLoader downloader downloaded Remcos from the threat actor’s server.

Figure 3. AhnLab MDS GuLoader malware detection screen

Remcos is a known RAT (Remote Administration Tool) distributed via spam emails and MS-SQL vulnerabilities. The malware has been covered on the ASEC Blog.

There is an official sales page for Remcos. Following the initial release of version 1.0 in July 2016, version 4.9.0 was released on July 26th, 2023. It seems the creator is constantly updating the features of this malware and selling copies for commercial purposes.

Figure 4. Remcos sales page

When an email is received, MDS uses the virtual machine-based dynamic analysis to detect malware strains based on GuLoader’s behavior of downloading malware types and Remcos’ behavior of exfiltrating information as well as their characteristics.

Figure 5. Screen showing MDS detection of Remcos (behaviors of downloading malware strains and modifying registry keys)
Figure 6. Screen showing MDS detection of Remcos (accessing account credential files)

Besides Remcos, GuLoader also downloads and runs malware strains being sold on the Internet such as Formbook and Lokibot. Such malware strains offered for sale are called commodity malware. The threat actor likely uses downloaders such as GuLoader to propagate commercial malware instead of distributing them directly to bypass signature-based detection of security products. In the past, GuLoader was compiled in VisualBasic, and nowadays, it is compiled in NSIS and .NET. Whatever the case may be, its form is constantly being changed during distribution to evade static detection. However, the malware strains being executed in the memory area are commercial malware types such as Remcos, so even if the forms are different, each variant performs the same malicious behaviors. Thus, corporate security managers must implement not only endpoint security products (V3) but also sandbox-based APT solutions such as MDS to prevent damage from cyber attacks.

– ab5050f0b4b71352722a6122c8107f83

[File Detection]
– Trojan/Win.Guloader.C5463862 (2023.08.02.00)

[Behavior Detection]
– Execution/MDP.Remcos.M11099
– Infostealer/MDP.Credential.M10218

AhnLab MDS detects and responds to unknown threats through sandbox-based dynamic analysis. For more information about the product, please visit our official website.

Categories:AhnLab Detection

Tagged as:,

0 0 votes
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments

[…] post GuLoader Malware Disguised as Tax Invoices and Shipping Statements (Detected by MDS Products) appeared first on ASEC […]