By Brad Haas, Cofense Intelligence

There’s a new malware delivery mechanism in town, and it’s competing in volume with the most tried-and-true delivery methods like malicious Microsoft Office macros.

GuLoader, a small but dangerously sophisticated loader, emerged early this year and rapidly became one of the most popular delivery mechanisms, used by numerous threat actors to deliver a wide assortment of malware. Its popularity can be explained by its simplicity and sophistication—it is both easy to use and extremely effective, designed to evade multiple security measures and then download and execute malware while going undetected. A recent report indicates that it is sold openly, making it easier for threat actors to obtain. As long as GuLoader is profitable, its authors will have an incentive to continue to improve it, making it a potential long-term threat.

GuLoader’s Meteoric Rise

GuLoader was first seen in the wild near the beginning of 2020. As discussed in the Cofense Q2 2020 Phishing Review, it surged in popularity during the second quarter particularly in the month of May. Several other delivery mechanisms dropped off almost entirely as GuLoader increased. It became nearly as common as each of the Microsoft Office document delivery mechanisms: CVE-2017-11882 and Office Macros, which have been dominant for months. GuLoader is most commonly used to deliver remote administration tools, but has also been observed delivering keyloggers, credential stealers, and other malware phenotypes.

Figure 1: During May 2020, GuLoader was briefly the most popular delivery mechanism.

Why GuLoader?

The most successful delivery mechanisms go undetected as they arrive in a victim’s inbox. This is likely why Office documents remain so popular; they are less obviously malicious than executable binary or script files. GuLoader is an executable file, but it uses sophisticated techniques (discussed below) to go unnoticed during delivery and during its execution. GuLoader has also been changed and updated with new features over time, making it increasingly useful as a delivery mechanism.

Advanced Evasion Features

GuLoader uses advanced techniques at every stage of execution to try to evade network, email, and host-based security technology:

  • Email attachment scanning: Obfuscation and encryption hide GuLoader’s actual functions. Without executing at least a portion of it, an antivirus product cannot detect what it does.
  • Dynamic or sandbox analysis: GuLoader contains false code instructions designed to thwart analysis tools and a wide array of tricks to avoid executing in virtual or sandbox environments.
  • Domain and network controls: Threat actors using GuLoader store their malicious payloads on cloud platforms like Google Drive and Microsoft OneDrive. These platforms are often treated as trusted assets in every organization and thus are not frequently subjected to comprehensive analysis or blocking.
  • Network-based scanning: Each malicious payload is encrypted with a key unique to its campaign, so neither the cloud services nor a network traffic analyzer is able to tell what it is.
  • Endpoint security products: GuLoader can start up legitimate Windows programs and inject itself into their memory space, giving the malicious payload cover from endpoint analysis.

Figure 2: Shipping-themed phish with GuLoader in an ISO attachment

Cofense Intelligence customers can find more details and associated indicators of compromise in our 23 July 2020 Strategic Analysis. Not a customer? Learn how our phishing alerts help mitigate today’s dynamic threats.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.