Gelup
Gelup is a Trojan downloader that introduces other threats to your computer. Gelup's usage corresponds to campaigns by TA505, a threat actor that favors infection methods abusing e-mail attachments and links. Users should isolate infected systems from the rest of their network, disable Internet connections, and use dedicated anti-malware products for deleting Gelup and its payload safely.
Gelup Trojans are Getting Up in Your Network's Business
Intermediary Black Hat software that escalates the severity of infection or a security breach is a critical element in well-organized attacks against non-government organizations, government networks, and enterprise-level businesses. TA505, a profit-motivated threat actor that encrypts files for ransoming their decryption help, among other criminal behavior, is reworking their delivery mechanisms for different campaigns notably. At least one series of attacks in the summer of 2019, versus multiple countries in Asia, is using Gelup as the chosen program for introducing new threats.
Many of Gelup's features are under-the-hood style obfuscation, stealth, and loading techniques for averting any detection of the Trojan downloader by threat-analyzing software. It uses DLL 'side loading,' like China's ANEL, identifies characteristics of a traditional analytical environment (such as a sandbox), and uses a hash resolution technique for its API calls, among many, other defenses. It also renders UAC requirements that could alert users inapplicable by faking 'trusted' directory paths.
Gelup's offensive side is more traditional comparatively and does little other downloading any additional threats that TA505 specifies. Its campaigns are using it as a deployment method for FlawedAmmyy, a Remote Access Trojan that grants generous access to the system to hackers. This RAT offers remote desktop control, file-related actions like deleting or opening content, and a hidden proxy server, all of which make it suitable for facilitating the theft of sensitive information, sabotage or ransoming media.
Banishing a Trojan Rework to Other Horizons
While it has a sufficient body of new code that it's worth labeling as a new threat, unto itself, Gelup also borrows numerous elements from old ones. Many of its functions are recycled content from the old Andromeda, while its loader is one that TA505 also uses for other threats, including FlawedAmmyy. The introduction of Gelup into their campaigns marks an 'extra step' that could be for obfuscating purposes that keep their attacks under the radar of security apparatus.
Past Gelup attacks targeted Argentina, the Philippines, and Japan, although TA505 is including other regions of the world in its victim list regularly. More consistent, however, is the first infection step, which involves e-mail phishing lures or spam nearly universally. These messages trick users into opening corrupted Excel spreadsheets, Word documents and similar content. The download triggers through embedded exploits that, usually, involve abusing macros that the victim enables.
Disconnecting from the Internet can stop a remote attacker's abusing Gelup and its payload for conducting future attacks, and is integral to the disinfection process. Malware experts recommend the use of relevant anti-malware tools, ideally with recently-updated databases, for uninstalling Gelup, which is a system-persistent threat.
Gelup is the Trojan equivalent of a milkman coming to your door, but with poison instead of a morning beverage. Refusing it by learning to recognize the disguises in an e-mail phishing attack is one of many precautions that everyone should embrace.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.