AhnLab Security Emergency response Center (ASEC) has identified circumstances of GuLoader being distributed as attachments in emails disguised with tax invoices and shipping statements. The recently identified GuLoader variant was included in a RAR (Roshal Archive Compressed) compressed file. When a user executes GuLoader, it ultimately downloads known malware strains such as Remcos, AgentTesla, and Vidar.
AhnLab’s MDS products provide a Mail Transfer Agent (MTA) feature to block malware distributed via email. Figure 3 below shows the GuLoader malware detection report screen of AhnLab MDS. In this case, the GuLoader downloader downloaded Remcos from the threat actor’s server.
Remcos is a known RAT (Remote Administration Tool) distributed via spam emails and MS-SQL vulnerabilities. The malware has been covered on the ASEC Blog.
There is an official sales page for Remcos. Following the initial release of version 1.0 in July 2016, version 4.9.0 was released on July 26th, 2023. It seems the creator is constantly updating the features of this malware and selling copies for commercial purposes.
When an email is received, MDS uses the virtual machine-based dynamic analysis to detect malware strains based on GuLoader’s behavior of downloading malware types and Remcos’ behavior of exfiltrating information as well as their characteristics.
Besides Remcos, GuLoader also downloads and runs malware strains being sold on the Internet such as Formbook and Lokibot. Such malware strains offered for sale are called commodity malware. The threat actor likely uses downloaders such as GuLoader to propagate commercial malware instead of distributing them directly to bypass signature-based detection of security products. In the past, GuLoader was compiled in VisualBasic, and nowadays, it is compiled in NSIS and .NET. Whatever the case may be, its form is constantly being changed during distribution to evade static detection. However, the malware strains being executed in the memory area are commercial malware types such as Remcos, so even if the forms are different, each variant performs the same malicious behaviors. Thus, corporate security managers must implement not only endpoint security products (V3) but also sandbox-based APT solutions such as MDS to prevent damage from cyber attacks.
– Trojan/Win.Guloader.C5463862 (2023.08.02.00)
AhnLab MDS detects and responds to unknown threats through sandbox-based dynamic analysis. For more information about the product, please visit our official website.