Warning Against Phishing Emails Distributing GuLoader Malware by Impersonating a Famous International Shipping Company
AhnLab SEcurity intelligence Center (ASEC) recently identified the distribution of GuLoader malware via a phishing email by impersonating a famous international shipping company. The phishing email was obtained through the email honeypot operated by ASEC. The mail body instructs users to check their post-paid customs tax and demands them to open the attachment.
Figure 1. Phishing email body
The attachment contains an obfuscated VBScript that combines and executes the included PowerShell script, and downloads additional files from an external source. Afterward, it creates a registry key with the name HKEY_CURRENT_USER\SOFTWARE[Random Name] to maintain the persistence of the obfuscated PowerShell script.
※ In the sample, it is registered under the name PolySyndetic.
Figure 2. (Left) Part of the VBScript (Right) Part of the PowerShell script
Figure 3. Part of the PowerShell script registered in the registry key
Finally, it creates msiexec.exe as a child process and injects and executes Xworm RAT.
Figure 4. Xworm RAT finally executed
Figure 5. Final process tree
GuLoader is a downloader malware that has been distributed since December 2019 in various forms. As it is a downloader, it can infect systems with various other malware, causing secondary damage. Users should therefore be cautious when opening attachments from unknown sources.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
