GuLoader

GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including NETWIRE, Agent Tesla, NanoCore, FormBook, and Parallax RAT.[1][2]

ID: S0561
Type: MALWARE
Platforms: Windows
Contributors: Eli Salem, @elisalem9
Version: 2.0
Created: 11 January 2021
Last Modified: 15 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

GuLoader can use HTTP to retrieve additional binaries.[1][2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

GuLoader can establish persistence via the Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

GuLoader can delete its executable from the AppData\Local\Temp directory on the compromised host.[1]

Enterprise T1105 Ingress Tool Transfer

GuLoader can download further malware for execution on the victim's machine.[2]

Enterprise T1106 Native API

GuLoader can use a number of different APIs for discovery and execution.[2]

Enterprise T1566 .002 Phishing: Spearphishing Link

GuLoader has been spread in phishing campaigns using malicious web links.[1]

Enterprise T1055 Process Injection

GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process.[2]

Enterprise T1204 .001 User Execution: Malicious Link

GuLoader has relied upon users clicking on links to malicious documents.[1]

.002 User Execution: Malicious File

The GuLoader executable has been retrieved via embedded macros in malicious Word documents.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call EnumWindows, and checking for Qemu guest agent.[2]

.003 Virtualization/Sandbox Evasion: Time Based Evasion

GuLoader has the ability to perform anti-debugging based on time checks, API calls, and CPUID.[2]

Enterprise T1102 Web Service

GuLoader has the ability to download malware from Google Drive.[2]

References