A malware loader known as GuLoader has been observed targeting the US financial sector using phishing emails with tax-themed lures.
Security researchers at eSentire shared their findings in an advisory published Monday.
“GuLoader, also known as CloudEyE, is a loader malware known to deliver additional malware such as infostealers and remote access Trojans (RATs),” wrote eSentire’s Threat Response Unit (TRU). I’m here.
“The loader contains multiple stages of shellcode and is known to be one of the most advanced loaders with numerous anti-analysis techniques.”
A campaign targeting US financial institutions was observed by TRU in March 2022.
“The phishing email contained a shared link to Adobe Acrobat that allowed users to download a password-protected ZIP archive,” reads the advisory.
The ZIP archive contains a decoy image and a shortcut file disguised as a PDF. The latter relies on PowerShell to download additional payloads from websites.
“GuLoader achieves persistence via Registry Run Keys,” writes eSentire. “The ‘State’ registry key contains an obfuscated PowerShell script that reflectively loads the GuLoader shellcode into memory.”
According to the team, this malware loader shows that tax-themed phishing scams are a popular tactic for cybercriminals during tax season.
“These decoys usually take the form of fake emails that appear to be from legitimate tax authorities such as the IRS and often contain urgent messages regarding tax refunds or payments. ‘, says the recommendation.
“Once the malware is installed, the attacker can access the victim’s system and data to carry out further attacks.”
More information on such scams can be found here: IRS phishing email used to distribute Emotet
Additionally, eSentire explained that password-protected ZIP archives are often an efficient way to evade email filters and antivirus programs.
“By zipping files into a password-protected archive, it becomes more difficult for antivirus and email filters to scan and analyze the files, as the contents of the archive cannot be scanned without the correct password.”
Another malware campaign that relied on ZIP archives was recently uncovered by threat actors using them to deploy the MortalKombat ransomware.
