A recent spear-phishing campaign targeting industrial and engineering companies in Europe was aimed at saddling victims with the popular GuLoader downloader and, ultimately, a remote access trojan that would permit attackers to steal information from and access compromised computers whenever they wish.
The emails are sent from various email addresses including from fake companies and compromised accounts. The emails typically hijack an existing email thread or request information about an order,” Tara Gould, Threat Research Lead at Cado Security, has warned.
The malware
The goal of the email is to make the recipient download the attachment – an .iso, .7z, .gzip oder .rar archive file – and unpack it. In it is a batch file that contains an obfuscated PowerShell script.
Running the file starts a process of downloading another file containing a second PowerShell script which includes functionality to allocate memory via VirtualAlloc (a native Windows API function) and to execute shellcode.
“The second shellcode is injected into the legitimate ‘msiexec.exe’ process and appears to be reaching out to a domain to retrieve an additional payload, however at the time of analysis this request returns a 404. Based on previous research of GuLoader, the final payload is usually a RAT including Remcos, NetWire, and AgentTesla,” Gould shared.
The second script also creates a registry key for persistence.
Evasion and obfuscation is critical for GuLoader
“Guloader makes use of process injection to evade detection. This allows malicious code to be run through a legitimate process, meaning security products may not detect the malware, or victims may not be alerted since the process will look like a normal Windows process,” Gould told Help Net Security.
“The obfuscation methods are custom and deployed to bypass security products that may detect the files if they were not obfuscated and make analyzing the files more difficult.”
The evasiveness of the loader means that the threat actors deploying it can use a variety of final payloads without having to customize each one for evading detection.
“The anti-analysis techniques employed, including use of junk code and encrypted shellcode make analysis more difficult, which in turn makes creating detections more challenging. Additionally, as it is designed to disrupt analysis, more time is spent for security staff to determine what is occurring,” Gould concluded.
The targets
Cado Security has provided indicators of compromise and Yara rules to help organizations search for evidence of compromise.
The company says that the spear-phishing campaign targeted employees at electronic manufacturing, engineering and industrial companies in European countries: Romania, Poland, Germany and Kazakhstan.
