GuLoader

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Type
Downloader
Origin
Italy
First seen
1 December, 2019
Last seen
6 December, 2022
Also known as
CloudEyE
vbdropper
Global rank
34
Week rank
11
Month rank
8
IOCs
3309

What is GuLoader malware

Just like the name suggests, GuLoader (sometimes also called CloudEyE and vbdropper) is a first-stage trojan designed to infect a system and drop a final payload. Typically other trojans or RATs. Once the malware makes its way into the victim's system, it attempts to establish a remote connection and download a malicious executable.

This malware is infamous for using advanced anti-detection and obfuscation techniques. It evades network detection, stops executing in virtual environments, and can slip past automatics security systems.

Researchers first observed GuLoader in December 2019, when it was used in a campaign delivering Remcos RAT. Throughout 2020, the trojan kept gaining popularity, at one point accounting for 25% of all packeted samples recorded by Check Point Research. Today, GuLoader remains a highly active threat. It often delivers NanoCore, Agent Tesla, LokiBot, and FormBook.

General description of GuLoader downloader

GuLoader is written in encrypted shellcode wrapped in a Visual Basic 6 (VB6) executable. Notably, it stores second-stage payloads in cloud drive services. Usually, in Google Drive or Microsoft OneDrive. This way, it can establish a connection and download the executable without raising any red flags. The payload is usually encrypted, allowing it to slip past the cloud host’s security measures.

This loader is infamous for its use of anti-analysis techniques:

  1. The shellcode is heavily obfuscated and mixed with generous amounts of junk code.
  2. It detects sandboxes with EnumWindows by counting the number of application windows on the screen and terminates with an error message.
  3. It tampers with debugging software, causing crashes.
  4. It uses process hollowing to inject malicious code into a benign process and evade detection by an antivirus.
  5. To confuse analysts, its PE header contains only generic GetProcAddress instructions.

Like many downloaders, GuLoader is offered as a service. Prices start at $100 per month. It is distributed in the clearnet by a company with a domain name in the .eu zone. The website markets it under the name CloudEye, claiming that this is a security tool intended for protecting applications against cracking. However, the same site contains links to YouTube tutorials that clearly display how to use the software maliciously. They also show how to abuse cloud drives.

Researchers managed to link GuLoader to an Italian-based hacking group by analyzing emails left as contact details in old forum threads. One of the users behind the loader is known under the alias sonykuccio. He advertised a malware variant as far back as 2011 and offered paid services, claiming that he could make other malicious programs harder to detect. That is why GuLoader uses so many intricate anti-evasion techniques.

How to get more information from GuLoader malware

ANY.RUN helps researchers perform malware analysis of GuLoader and track its execution process in an interactive sandbox.

GuLoader text report

Figure 1: GuLoader text report generated by ANY.RUN

ANY.RUN allows users to save time during analysis and present crucial information extracted from malware immediately. Analysts may take a look inside GuLoader malware configuration 10 second after its process started.

GuLoader malware configuration

Figure 2: GuLoader malware configuration

GuLoader execution process

The form of GuLoader's distribution changing over time, but its execution flow always stay pretty straightforward. Since the purpose of GuLoader is to download to the infected system main payload, after its start it check is it run inside virtual environment. When check passed, it starts connection and download payload. Once payload downloaded and starts execution, GuLoader stops.

But even if loader didn't connect to C2 during analysis, you always may look in extracted malware configuration to find out from where GuLoader is wants to receive payload!

Distribution of GuLoader

The distribution method of GuLoader is very typical. The loader is usually delivered as an Office document attachment in spam email campaigns. When downloaded, it uses a macro to install the malicious program. Sometimes it is also delivered as an executable in a .rar archive.

During the pandemic, many campaigns exploited the fear surrounding Covid-19 by mentioning the virus. More recently, attackers have been using fake payment invoices. They will impersonate a bank and use social engineering to trick the victim into downloading an infected file to check “payment details.”

Conclusion

GuLoader is available as a service for a relatively low price, can be easily found in the clearnet, and comes with easy-to-follow instructions. No wonder, then, that creators claim they already have over 5000 clients. Thanks to the combination of advanced anti-evasion tricks and ease of use, we expect its popularity to continue to grow.

Thankfully, GuLoader is easily detectable in ANY.RUN sandbox. It only takes a few minutes to launch an interactive emulation and identify the threat.

IOCs

IP addresses
94.73.151.170
203.82.48.219
84.38.181.21
107.180.41.151
91.237.98.22
136.243.5.53
187.17.111.47
144.76.87.157
192.169.69.25
198.187.29.65
89.47.53.13
45.133.200.3
67.217.34.70
5.206.224.171
103.227.62.72
45.143.222.30
46.4.22.188
144.91.100.126
101.100.211.101
35.214.178.31
Hashes
6f8a836d10eada55bb1d3901ceb5b97711afc9f7018e3bd0f0a8e77521f18e5b
fead9f557555f4031a6cfdfacac0de185ba5941896766920f6421fdae0bd9acf
59e5ee6b84cd4add14abc78190e29ded9079a986cadb8e507f394f22258fc51d
ba065c2810853ed334a1b60dcf213bd98d9b6789a61ca68f678befaf9cfab991
1081715a99eafd929af7f2c08c1d17b90c2c81dfd08230f613e168a49db37698
c6377809c3346c3ce56d9ce05cff41d0385e85d6fd207085221f5747254da92a
2cef8f5438e90fae8f7cefa652da60c7d32f6635f49c11d186f1dd5a128756f3
3b3227c738916b7f373961c86aa7ea9798225456d212e074a7ee1260624c7893
2b07b9eb076043985a829851139ccc18f421cabe06f6b40b1d39afe4caeb4ae0
546c47c79f996ce4f559a72e8e79e19c9f53b0af102fe68340e703c958cfd044
835b0d5f32a63f7be9de26de19dcf3c309b86e37ea37cb7e7ac9b672a2c9475c
88a02967d6fa5c0eff65f71b9fae969b8125a20115c2d2ee21053832fdc2fc2b
c200bfc37f6c60b24263b5af26790fbb990a6935c927b0589d5d0151ee58b6ec
206ff9790482fbcedcc240a3f94e0db6ed744311a632b344c6b0ef89bab6b262
0372ac067b296f47ae74379e7cbbcaf2a9e9f35c9013c76ed1c6b490b9270760
4bd0a6383c28a6340f1f8070f4bb9d3cc27f3a7b1a7b1107c61ef6682bd6d96d
874b31b01660f3185d9395adc891baf865aee503331d6d2ea507c572cfea001e
c03765012c39c2cec7686da10b45a815f7f6c944ed862a024059c3bd80ad673f
7bf8d132cce5642f046935be4aa75e481a90b5dc625c90f2edde2a50e4050aa4
2b5120f2d732c6b78ddac5ac679cbbf279d96108d50cc02e569be1e07813b604
Domains
majul.com
www.xeroxsupportdrivers.com
www.mytrainersaid.com
www.asdaz.site
www.cdn-aws.net
temc.xyz
chi-photography.com
turing.academy
www.orcus.one
glborigintest.canarytest.net
decenthat.com
www.decenthat.com
megambu.pw
www.otena.com
patassociation.com
adsnet.work
scietech.academy
curlmyip.com
qxq.ddns.net
booking.msg.bluhotels.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More