GuLoader Detection: Malware Targets U.S. Financial Organizations via Phishing Emails

[post-views]
April 14, 2023 · 4 min read
GuLoader Detection: Malware Targets U.S. Financial Organizations via Phishing Emails

With the tax season in full swing, threat actors are setting eyes on financial organizations. According to the latest cybersecurity reports, U.S. accounting firms and other financial institutions have fallen prey to a series of adversary campaigns spreading GuLoader malware since March 2022. Threat actors spread the GuLoader malicious samples by leveraging a phishing attack vector and a tax-themed lure.

Detect GuLoader Attacks

Taking advantage of the tax season, threat actors attempt to rely on a combination of sophisticated attacks and social engineering to lure victims and access valuable financial data. To secure critical organizational assets and timely identify possible intrusions, security practitioners require a trusted source of detection content. 

SOC Prime’s Detection as Code Platform offers a batch of Sigma rules to detect the latest GuLoader modification, a nasty malware downloader leveraging tax baits to target financial institutions in the U.S.:

Possible GuLoader Persistence by Modifying Registry to Retrieve Property Value (via registry_event)

This rule, written by our keen Threat Bounty developer Nattatorn Chuensangarun detects suspicious GuLoader malware activity by modifying the registry run key through executing a PowerShell command that retrieves the property value. The detection is compatible with 20 SIEM, EDR, and XDR solutions and is aligned with the MITRE ATT&CK® framework addressing the Defense Evasion tactic, with Modigy Registry (T1112) as the corresponding technique.

Suspicious GuLoader Malware Execution by Detection of Associated Commands Targeting Financial Sector (via ps_script)

The second Sigma rule, written by our prolific Threat Bounty developer Onur Atali, detects suspicious commands used by GuLoader malware to execute malware functionality. The detection algorithm can be applied across 16 industry-leading security analytics platforms and is mapped to ATT&CK, addressing the Execution tactic along with the Command and Scripting Interpreter (T1059) technique. 

Both aspiring and seasoned cybersecurity professionals are welcome to join the SOC Prime Threat Bounty Program to write and share detection content with industry peers while enriching collective intelligence and monetizing their content contributions. 

With the rapid evolution of GuLoader malware and its enhanced detection evasion techniques, progressive organizations are striving to hone their defensive capabilities to timely identify the infection. Click the Explore Detections button to reach the entire detection stack for GuLoader malware, along with MITRE ATT&CK references, CTI links, and more relevant metadata. 

Explore Detections

GuLoader loader malware, also known as CloudEyE, has been observed in recent adversary campaigns targeting the U.S. financial sector. In these attacks, threat actors apply tax-themeв phishing lures to spread the malware samples.

GuLoader is considered one of the most sophisticated loaders leveraging a set of anti-analysis and detection evasion techniques. The loader is also capable of delivering other malicious samples, like infostealers and RATs. For instance, with a growing number of phishing attacks during the COVID-10 pandemic, GuLoader was used to deploy the FormBook Trojan on the compromised systems. The most recent GuLoader iteration applies obfuscated VBS and PowerShell to drop additional malware samples, like Remcos RAT. Code injection into a legitimate process enables threat actors to bypass antivirus tools and other security protection utilities, posing a challenge to cyber defenders. 

The investigation by eSentire’s Threat Response Unit sheds some light on the ongoing GuLoader malware campaigns exploiting the phishing attack vector. The attacks first observed in early spring 2022 during a tax season apply a phishing email to trigger the infection chain. The malicious email contains a lure link to Adobe Acrobat, which enables the targeted users to download a password-protected file archive. The latter comes with a decoy image and an LNK file masquerading as a PDF document, which can lead to deploying additional payloads on the compromised systems using PowerShell. 

Once installed, GuLoader achieves persistence using Registry Run Keys. The successfully installed malware gives adversaries the green light to fully compromise the targeted system and further launch additional malware campaigns.

Due to increasing volumes of phishing attacks, organizations are looking for ways to raise cybersecurity awareness and ensure the systems have up-to-date anti-virus software installed along with other security protection tools. Explore SOC Prime’s extensive knowledge base, searchable and updated at sub-second performance, to explore the entire list of Sigma rules for phishing attack detection, with all the detections automatically convertible to 27+ SIEM, EDR, and XDR solutions and enriched with actionable cyber threat context.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts