HQ/EMEAFind out how we can help your business
A new GuLoader campaign has emerged recently in the wild. Reports stated that the cybercriminal operation started last April and focuses on targeting United States-based organisations. The researchers claimed that the cyberattack prioritises targeting American law firms besides healthcare and investment companies.
Also known as the Cloudeye operation, GuLoader has been operating for over three years and has constantly increased its sophistication.
Nearly 50% of the GuLoader campaign has attacked law firms in the United States.
According to an investigation, law firms suffered the most GuLoader attacks since 46% of the operation was directed towards them. The healthcare and investment firms also suffered, but not as significant as the legal entities.
The GuLoader attack starts from a emailed password-protected PDF, and the sender provided PIN. The PDF’s content claims that it needs decryption for viewing. This strategy will urge the recipient to click on an embedded icon.
However, once the recipient bites the bait, a PowerShell script will operate to decode and run a next-stage PowerShell through the 32-bit version of the script since the GuLoader shellcode is a 32-bit payload. Furthermore, the second-stage command includes XOR-encoded strings in charge of downloading the GuLoader shellcode.
The GuLoader shell code will then be the tool that will download, decrypt, and inject the final payload into the ieinstal[.]exe process. Next, the attack process will download a decoy PDF that displays a “page not found” error while a remote access trojan runs discreetly in the background.
Microsoft last observed the most recent GuLoader campaign. The campaign has commonly employed the Remcos RAT as its primary weapon but sometimes uses GuLoader as its dropper.
The GuLoader malware developers always adopt diverse strategies to make analyses for researchers challenging. Lastly, these attackers could also complicate comprehending its inner workings.
The GuLoader campaign has become a household name for phishing campaigns. It has become one of the most sophisticated cyberattacks organisations suffer from today. Organisations could thwart such attacks by following provided IOCs that could defend other cybersecurity solutions.
