GuLoader Downloader

First observed in December 2019, GuLoader is a VB6-based downloader trojan. Despite its age, it has swiftly become popular with threat groups and has been observed in campaigns delivering a number of well-known malware.

Threat ID:: CC-3401
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 19 March 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

GuLoader is typically delivered embedded in container files or productivity documents distributed in spam campaigns. When these files are opened, a script is run that will unpack and execute GuLoader.

Once installed, GuLoader will connect to a command and control server in order to collect payload URLs, which are typically hosted on the Microsoft OneDrive or Google Drive. it will then attempt to install the payloads and execute them as new processes. At the time of publication, GuLoader has been observed dropping Agent Tesla, Ave Maria, FormBook, NanoCore, Netwire, Remcos, and Parallax.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

To prevent and detect a trojan infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

URLs

drive.google[.]com/uc?export=download&id=1N8gVOM5p8Ubm1HwolChxHidT7YoN29EE
drive.google[.]com/uc?export=download&id=1vljQdfYJV76IqjLYwk74NUvaJpYBamtE
drive.google[.]com/uc?export=download&id=1dtlMCyozUPBepc-AtEdirGENZBpWesAi

SHA256 File Hashes

1e6db9987ba9662be6f49c006b042766f85027266427d6e3b3c62faac310542d
accfdbd1af174d1134015daa4bc39ee1b5c8b88df4ecee8ea0c9cda660bb18c7
de1b53282ea75d2d3ec517da813e70bb56362ffb27e4862379903c38a346384d
eaa6bbbfd75eab17c2808b0c2dd4a5d5a5ee473cc7cd5e93ce4302c4f830202d

Last edited: 10 January 2022 5:41 pm