Wholesale Giant METRO Hit By A Cyberattack, Suffers IT Outage
October 24, 2022Kimsuky APT Group Targeting Android Devices – Active IOCs
October 28, 2022Wholesale Giant METRO Hit By A Cyberattack, Suffers IT Outage
October 24, 2022Kimsuky APT Group Targeting Android Devices – Active IOCs
October 28, 2022Severity
High
Analysis Summary
Guloader is currently being distributed via spam email campaigns with archived attachments that contain malware. The majority of malware downloaded by GuLoader is commodity malware, with AgentTesla, FormBook, and NanoCore being the most predominant. This downloader typically stores its encrypted payloads on Google Drive. It has also downloaded its payloads from Microsoft OneDrive and also from compromised or attacker-controlled websites. By utilizing legitimate file-sharing websites, GuLoader can evade network-based detection, as these services are not generally filtered or inspected in corporate environments. Usually, the downloaded payloads are encrypted with a hard-coded XOR key embedded in the malware, making it difficult for file-sharing service providers to identify the payload as malicious. This time, the GuLoader Shellcode injector is being distributed via a file named “EXTERNAL RFPPAN India Epoxy/PU 2021”. The scope of this campaign so far seems to be global. GuLoader malware spawns AgentTesla In its latest campaign. AgentTesla is renowned for stealing data from a variety of target workstations’ apps, including browsers, FTP clients, and file downloaders.
Researchers recently identified the GuLoader malware being delivered to Korean corporate users. GuLoader is a downloader that has been widely circulated in the past for the purpose of downloading different infections. An HTML file is included to the phishing email.
GuLoader is displayed as a Word icon, and a 600MB Null value is appended to the end of the file.
Before injecting malicious data, the loaded GuLoader runs a regular process in the “C:\program files\internet explorer\ieinstal.exe” directory. The injected regular process attempts to download additional malware by connecting to the URL below.
Impact
- Malware Installation
- Detection Evasion
- Information Theft
Indicators of Compromise
MD5
- 9227aca78ee90c18f87597516a28b091
SHA-256
- 9c3c22d2e0ead96a99d68c2228ed8a98afd0fd288c7eb9b4d443e34a4d49a57e
SHA-1
- a987e8cbe235b889c6a1b1aa9a4cec689024b8a3
URL
- http[:]//45[.]137[.]117[.]184/Files_For_Potosinos/Doc_Scan[.]zip
- http[:]//45[.]137[.]117[.]184/riBOkPd173[.]mix
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Maintain daily backups of all computer networks and servers.
- Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
- Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- 2FA – Enable two-factor authentication.
- Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets
- Security Best Practices – Do not open emails and attachments from unknown or suspicious sources.