GUloader – Sophisticated Malware Loader

Summary

GUloader is a sophisticated malware loader that evades detection and poses a significant risk to organizations and individuals. It utilizes evasion techniques, including polymorphic code and encryption, to mask its presence.

Highlights

  • GUloader can dynamically alter its structure to evade antivirus software and intrusion detection systems.
  • It is distributed through malicious SVG files delivered via email.
  • SVG files are widely used vector image files that support interactivity and animation.
  • Opening an SVG file triggers the download of a ZIP file, which contains a Windows Script File (WSF).
  • The WSF script establishes a connection with a malicious domain and executes the hosted content.
  • The hosted content includes shellcode injected into the MSBuild application for further malicious actions.
  • GUloader can download and deploy other malware variants.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-unmasked-decrypting-the-threat-of-malicious-svg-files/

https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/

https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/