GuLoader | |
Type of Malware | Dropper |
Date of Initial Activity | 2021 |
Motivation | Financial Gain |
Attack Vectors | Phishing |
Associated Tools | Formbook |
Targeted Systems | Windows |
Overview
GuLoader is a well-known and increasingly sophisticated shellcode-based downloader that has become a significant tool in the hands of cybercriminals, enabling the distribution of a variety of highly malicious payloads. Over the past few years, GuLoader has evolved, continually bypassing traditional security measures and eluding detection by antivirus solutions. Initially implemented as a VB6 application, GuLoader’s design has since transformed, incorporating more advanced techniques like anti-debugging and sandbox evasion. These upgrades have made it exceedingly difficult to analyze and thwart its operations. Its most recent versions utilize cloud storage services, such as Google Drive, to host encrypted payloads, giving threat actors the ability to distribute malware undetected for extended periods.
The core functionality of GuLoader is to deliver and execute malicious payloads without leaving traces on the infected machine’s hard drive. This is achieved through a combination of encrypted shellcode and a loader that pulls the payload from a remote server, decrypts it in memory, and then runs it. GuLoader’s use of these cloud-based storage solutions to host payloads offers it a significant advantage by avoiding traditional detection methods that focus on local file analysis. Furthermore, its integration of anti-analysis features, such as obfuscation techniques and complex control flow manipulation, ensures that the malware remains difficult to analyze even by experienced cybersecurity researchers.
Targets
Information
How they operate
At its core, GuLoader is a downloader that utilizes social engineering tactics, such as phishing emails, to distribute its payload. Typically, these emails contain malicious attachments or links, often disguised as legitimate files or documents. When a user interacts with these files, they unwittingly trigger the download and execution of GuLoader. This marks the beginning of the infection cycle. The malware is often embedded within a Visual Basic Script (VBS) or a similarly obfuscated file, which, once executed, acts as the initial vector to retrieve the main payload.
Once executed, GuLoader communicates with its command and control (C2) server, often utilizing HTTPS over standard web protocols to avoid detection by network security defenses. This communication is typically disguised as regular web traffic, making it difficult for security systems to flag the malicious activity. The malware then downloads the payload, which is usually encrypted or obfuscated to avoid being flagged by antivirus software. One of the key characteristics of GuLoader is its ability to load the payload entirely in memory, without writing it to the disk. This memory-based execution makes it significantly harder to detect by traditional file-based security tools, which typically rely on file system monitoring for identifying malicious artifacts.
Upon successfully downloading and decrypting the payload, GuLoader then executes it in memory, ensuring that no trace of the malware is left on the system’s hard drive. This technique is known as fileless execution and is widely used by advanced persistent threats (APTs) to avoid detection. The payload, which could be anything from information stealers like Formbook and Lokibot to ransomware, then takes control of the system, depending on its specific function. In cases where the payload is a ransomware strain, the malware will encrypt the victim’s files and demand a ransom for their decryption.
To ensure persistence, GuLoader often modifies the system’s registry settings or uses other techniques to make sure the malware remains active even after the system is rebooted. This enables it to continue downloading and executing additional payloads or maintain control of the system over an extended period. GuLoader also employs various anti-analysis techniques to avoid being detected by security researchers and sandbox environments. These techniques include using anti-debugging methods, obfuscating its code, and avoiding suspicious behavior patterns that could trigger alarms in virtualized environments.
The malware’s ability to adapt, disguise its actions, and execute payloads entirely within memory makes it a potent threat. Its modular design allows attackers to customize the final payload based on the victim’s environment, further enhancing its effectiveness. By leveraging legitimate services such as cloud storage and encrypted communications, GuLoader can evade traditional detection mechanisms and remain a persistent threat to both individual and organizational security. As a downloader, it plays a critical role in many cyberattacks, facilitating the deployment of more damaging and disruptive malware payloads.
GuLoader’s technical sophistication highlights the increasing complexity of modern cyberattacks, where malware is designed not just to compromise systems but to evade detection at every possible stage of the infection process. The use of cloud-based services, fileless execution, and sophisticated evasion tactics makes GuLoader a formidable tool in the arsenal of cybercriminals.
MITRE Tactics and Techniques
Initial Access (T1071: Application Layer Protocol)
GuLoader often uses cloud storage services like Google Drive to host its payloads. By leveraging common and trusted cloud platforms, it avoids detection by traditional security measures, making it easier to deliver malicious payloads to targeted systems without triggering alarms.
Execution (T1203: Exploitation for Client Execution)
GuLoader relies on social engineering tactics, such as phishing emails with malicious attachments or links, to exploit vulnerabilities and trigger the download and execution of its payload. This allows the malware to execute on the victim’s machine once the user is duped into interacting with the file.
Persistence (T1547: Boot or Logon Autostart Execution)
Once GuLoader delivers its payload, the malware may establish persistence on the system by modifying registry keys or using other techniques to ensure that it is executed again upon system reboot or user login.
Defense Evasion (T1070: Indicator Removal on Host)
GuLoader utilizes evasion techniques to avoid detection by security software. This includes encryption of the payload, using shellcode to avoid storing malicious files on disk, and employing anti-analysis features such as sandbox evasion and obfuscation to make it difficult for security tools to flag the attack.
Credential Dumping (T1003: Credential Dumping)
Some payloads delivered by GuLoader, such as Formbook or Lokibot, are designed to capture sensitive information, including login credentials. Once executed, these payloads are capable of extracting stored passwords and other sensitive data from the system.
Command and Control (T1071.001: Application Layer Protocol: Web Protocols)
GuLoader communicates with remote servers to fetch its payloads. This communication typically occurs over HTTPS, using application layer protocols, ensuring that the traffic blends in with normal web traffic and evades network-based detection methods.
Exfiltration (T1041: Exfiltration Over C2 Channel)
In some cases, the payloads delivered by GuLoader may include exfiltration capabilities, where data is siphoned from the infected machine back to the attacker’s server. This can include sensitive files, system information, or captured credentials.
Impact (T1486: Data Encrypted for Impact)
GuLoader can serve as an initial stage in the deployment of ransomware payloads. Once a payload like a ransomware strain is executed, the attacker can encrypt the victim’s data, demanding a ransom for decryption.
