GuLoader
The GuLoader is a unique combination of a Trojan downloader and a loader that is capable of installing threatening malware on the computers it infects silently. It appears that several cybercrime organizations have started to use this piece of malware, and the GuLoader has been used to deliver Remote Access Trojans, cryptocurrency miners, backdoor Trojans and other high-profile cyber threats. The latest variants of GuLoader to be seen in the wild were programmed to deliver copies of the Parallax RAT and Remcos RAT.
Most of the attack campaigns are executed with the use of phishing emails that are disguised to look as if they contain important content such as an invoice, CV, document, receipt, leaflet, etc. Depending on the attackers' expertise, they may use one of the following tricks to obfuscate the payload:
- Less advanced cybercrooks use a double extension since, by default, Windows hides known file extensions. So, for example, the file 'invoice.xlsx.exe' may appear as 'invoice.xlsx' – this may trick users into opening it without knowing that it is a potentially threatening executable.
- Experts in the cybercrime field rely on decoy documents that come packed with a macro script that exploits vulnerabilities in the Microsoft Office. For the script to work, users must click 'Enable Content' when viewing the document. If this condition is met, the script will be executed, and the GuLoader will be launched.
The original authors of the GuLoader have taken safety measures to protect their malware from debugging tools – GuLoader will crash its execution if it detects that a debugging tool is being used, or if it detects a virtual machine environment.
The most important step of the attack takes place last – GuLoader is able to use the so-called 'process hollowing' technique. Thanks to this ability, it can execute its corrupted code via a legitimate process, therefore allowing it to evade not-so-advanced security tools and measures. During the last step, GuLoader tries to connect to a series of Command and Control servers and fetch a payload that is meant to be executed on the compromised machine.
Although GuLoader is one of the more advanced Trojan downloaders being used currently, you can still protect your system from it with the use of an up-to-date and reliable anti-malware application.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.