South Korean and US e-commerce industries are on the receiving end of the ongoing GuLoader malware campaign, cybersecurity firm Trellix revealed late last month.
The malspam campaign is notable for moving from malware-laced Microsoft Word documents to NSIS executables for loading malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, Taiwan and Japan.
NSIS, short for Nullsoft Scriptable Install System, is a script-driven open source system used to develop installers for Windows operating systems.
While a series of attacks in 2021 leveraged ZIP archives containing macro-laced Word documents to drop executables that loaded GuLoader, a new wave of phishing attacks were embedded in ZIP or ISO images. It uses NSIS files to activate the infection.
“By embedding malicious executables in archives and images, attackers may be able to evade detection,” said Trellix researcher Nico Paulo Yturriaga.
Over the course of 2022, the NSIS scripts used to deliver GuLoader are said to have become more sophisticated, incorporating additional obfuscation and encryption layers to hide the shellcode.
The development also marks a broader shift in the threat landscape, with another method of malware distribution proliferating in response to Microsoft’s blocking of macros in Office files downloaded from the Internet.
“Moving the GuLoader shellcode to an NSIS executable is a remarkable example of the creativity and persistence of attackers in evading detection, preventing sandbox analysis, and thwarting reverse engineering,” said Yturriaga. I’m here.
