Rewterz Threat Alert – GuLoader Downloader Deploying RATS and Infostealers

Severity

High

Analysis Summary

GuLoader is a downloader written partly in Visual Basic 6 and originally seen being used to deliver Parallax RAT. Multiple threat actors are currently using it to download a variety of RATs and information stealers. The executable is typically delivered either embedded in an ISO or RAR file or via direct download from cloud hosting platforms, such as Google Drive or Microsoft OneDrive. Once downloaded, the VB6 wrapper decrypts the shellcode that provides the main functionality. In order to do this while making analysis more difficult, the loader leverages sophisticated injection techniques. Once decrypted, the shellcode downloads a PE executable from a remote URL with a filename in the pattern of “_encrypted_XXXXXX.bin” where “XXXXXXX” are hexadecimal digits. The downloaded file is XOR-encoded with a XOR key stored in the GuLoader shellcode. Examples of dropped payloads include Agent Tesla/Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria/Warzone RAT and Parallax RAT.

Impact

• Unauthorized Remote Access
• System Takeover
• Credential Theft
• Command Execution
• Information Theft 

Indicators of Compromise

Domain Name

• droptop1[.]com
• droptop2[.]com
• droptop3[.]com
• droptop4[.]com
• droptop5[.]com
• droptop6[.]com
• droptop7[.]com
• droptop8[.]com
• droptop9[.]com
• droptop10[.]com

MD5

• 913fc7a8a80e209997ad142ffce2d619
• b5479869c1ae14084526161cc002036c

SHA-256

• e8f8cc178425c55c03c76d0a2a11918371bba8f2d6f400752ca1cea5e663da2e
• 26f7bfe041a3d8a2b620d0ed2af4e2ef54b004202ec479362939b9154b1c8758

Source IP

185[.]140[.]53[.]134

URL

• https[:]//drive[.]google[.]com/uc?export=download&id=1N8gVOM5p8Ubm1HwolChxHidT7YoN29EE
• https[:]//drive[.]google[.]com/uc?export=download&id=1dtlMCyozUPBepc-AtEdirGENZBpWesAi

Remediation

• Block the threat indicators at their respective controls.
• Do not download unnecessary files from any source, whether emails or cloud hosting platforms.