GuLoader

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Type
Downloader
Origin
Italy
First seen
1 December, 2019
Last seen
31 March, 2023
Also known as
CloudEyE
vbdropper
Global rank
30
Week rank
16
Month rank
16
IOCs
3461

What is GuLoader malware

Just like the name suggests, GuLoader (sometimes also called CloudEyE and vbdropper) is a first-stage trojan designed to infect a system and drop a final payload. Typically other trojans or RATs. Once the malware makes its way into the victim's system, it attempts to establish a remote connection and download a malicious executable.

This malware is infamous for using advanced anti-detection and obfuscation techniques. It evades network detection, stops executing in virtual environments, and can slip past automatics security systems.

Researchers first observed GuLoader in December 2019, when it was used in a campaign delivering Remcos RAT. Throughout 2020, the trojan kept gaining popularity, at one point accounting for 25% of all packeted samples recorded by Check Point Research. Today, GuLoader remains a highly active threat. It often delivers NanoCore, Agent Tesla, LokiBot, and FormBook.

General description of GuLoader downloader

GuLoader is written in encrypted shellcode wrapped in a Visual Basic 6 (VB6) executable. Notably, it stores second-stage payloads in cloud drive services. Usually, in Google Drive or Microsoft OneDrive. This way, it can establish a connection and download the executable without raising any red flags. The payload is usually encrypted, allowing it to slip past the cloud host’s security measures.

This loader is infamous for its use of anti-analysis techniques:

  1. The shellcode is heavily obfuscated and mixed with generous amounts of junk code.
  2. It detects sandboxes with EnumWindows by counting the number of application windows on the screen and terminates with an error message.
  3. It tampers with debugging software, causing crashes.
  4. It uses process hollowing to inject malicious code into a benign process and evade detection by an antivirus.
  5. To confuse analysts, its PE header contains only generic GetProcAddress instructions.

Like many downloaders, GuLoader is offered as a service. Prices start at $100 per month. It is distributed in the clearnet by a company with a domain name in the .eu zone. The website markets it under the name CloudEye, claiming that this is a security tool intended for protecting applications against cracking. However, the same site contains links to YouTube tutorials that clearly display how to use the software maliciously. They also show how to abuse cloud drives.

Researchers managed to link GuLoader to an Italian-based hacking group by analyzing emails left as contact details in old forum threads. One of the users behind the loader is known under the alias sonykuccio. He advertised a malware variant as far back as 2011 and offered paid services, claiming that he could make other malicious programs harder to detect. That is why GuLoader uses so many intricate anti-evasion techniques.

How to get more information from GuLoader malware

ANY.RUN helps researchers perform malware analysis of GuLoader and track its execution process in an interactive sandbox.

GuLoader text report

Figure 1: GuLoader text report generated by ANY.RUN

ANY.RUN allows users to save time during analysis and present crucial information extracted from malware immediately. Analysts may take a look inside GuLoader malware configuration 10 second after its process started.

GuLoader malware configuration

Figure 2: GuLoader malware configuration

GuLoader execution process

The form of GuLoader's distribution changing over time, but its execution flow always stay pretty straightforward. Since the purpose of GuLoader is to download to the infected system main payload, after its start it check is it run inside virtual environment. When check passed, it starts connection and download payload. Once payload downloaded and starts execution, GuLoader stops.

But even if loader didn't connect to C2 during analysis, you always may look in extracted malware configuration to find out from where GuLoader is wants to receive payload!

Distribution of GuLoader

The distribution method of GuLoader is very typical. The loader is usually delivered as an Office document attachment in spam email campaigns. When downloaded, it uses a macro to install the malicious program. Sometimes it is also delivered as an executable in a .rar archive.

During the pandemic, many campaigns exploited the fear surrounding Covid-19 by mentioning the virus. More recently, attackers have been using fake payment invoices. They will impersonate a bank and use social engineering to trick the victim into downloading an infected file to check “payment details.”

Conclusion

GuLoader is available as a service for a relatively low price, can be easily found in the clearnet, and comes with easy-to-follow instructions. No wonder, then, that creators claim they already have over 5000 clients. Thanks to the combination of advanced anti-evasion tricks and ease of use, we expect its popularity to continue to grow.

Thankfully, GuLoader is easily detectable in ANY.RUN sandbox. It only takes a few minutes to launch an interactive emulation and identify the threat.

IOCs

IP addresses
94.73.151.170
84.38.181.21
107.180.41.151
187.17.111.47
192.169.69.25
67.217.34.66
203.82.48.219
198.187.29.65
37.49.230.180
201.150.45.24
91.237.98.22
144.76.87.157
45.143.222.30
89.47.53.13
185.162.64.21
136.243.5.53
45.133.200.3
67.217.34.70
5.206.224.171
103.227.62.72
Hashes
6b3778969ec53acef6b23208f888527e539feb87b3e49598da6f4871aabd8e86
8c4d1e88b74d262191dde4b7d3f505e325ce311a7129021ba976a666b28258d2
68deb452c9e483d55be8549e72c4cdf0ae22f722e630d8db198381587e7d320f
a4a2871b4caf0f6a24e66645a6c1aae3949c4ed1366083589180ade45f8c2b70
ed5a4b555700f4831a059d203d7027bc6a36ad03347d23fffd6ad3738635b2ff
83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9
718822b130852c5cacd1be5128fa566ef6ba31be013db93c718ee987bd5749a8
86cdb06b975dfb24d11bf83bbe33b39b8eb49c1bb514c2d508c05ef3d9b3be01
7136249249db3d970775998b54eb855fcaf4e53ebed0591a6754ee0c604bb534
7c4ed8f01c97ad84245dc9b7407c05d1a60af53653cffb41d798e403289909af
84e316ba28c1745989fcba630c13792daa4286bee90d828d9eb6e9f36d86f4fd
c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415
bdf17c65ec65b47fdb97184d1817af84736dcd9a6c4d183e9a4e9631260e69ae
43ae907f84c039e02da6dd4cb1146d00ee7c269c1c0fc001fcf366623f81bc35
5935aa258cb81a08382744c37e266c302076024ff3f7593ff4e625e6425a6953
0a1b49a26192b26678151dffa80c33789aad9c8a0706a2daee6d4ada52ed0937
e3993f4cfce13f9bccabcf9600d375a5be7deac0b87ef169b05be582499228b9
af07244460a142f37f6e8fcf432686c7ab99190a5c548e004cf7d5ef25c3d78e
db68c7bdab61c383a6eb6814ad9068ed1c11d1e9cac8e0ce383385aba90f3d9f
5d5cf6bdac50ba9b74ff317ead631d14249658c992cabb4658b3078e522d5926
Domains
elx01.knas.systems
majul.com
moiawsorigin.clo.footprintdns.com
temc.xyz
chi-photography.com
booking.msg.bluhotels.com
booking.msg.bluhotels.com
isns.net
qxq.ddns.net
ffvgdsv.ug
www.pensionhotel.us
unboxtherapy.site
epsondriversforwindows.com
forskolinslimeffect.net
zinnystar.com
santastoy.store
reputation-medical.online
qegyqaq.com
www.orcus.one
atb-lit.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy