GuLoader

Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware. Specifically, the activity abuses the TryCloudflare feature that allows an attacker to create a one-time tunnel without creating an account.

The attack targets users who arrive at a legitimate-looking website through a Google search, with no phishing email or suspicious link involved... Malicious code hidden in the site’s WordPress backend quietly waits to activate under the right conditions.

The campaign chains a compromised WordPress site... Every layer is built to appear legitimate, giving most traditional defenses no reason to intervene.

In most campaigns, messages contain a URL or attachment leading to an internet shortcut (.URL) file.

It’s most likely these files were delivered to victims via a spear-phishing email... In that case, the malware arrived in the form of a ZIP file containing an executable SCR file.

The purpose of this code is to call the PowerShell interpreter and pass it the code of the script collected in the “pa0” variable as a parameter.

When executed, it establishes a connection to an external file share, typically via WebDAV, to download an LNK or VBS file.

When executed, the LNK/VBS executes a BAT or CMD file that downloads a Python installer package and a series of Python scripts leading to malware installation.

The content repeatedly mentions malicious macros in Word/Excel documents, such as "enable macros," "embedded macros," and "macro-enabled documents."

The command calls rundll32.exe... pointing it to a remote DLL hosted by the attacker over a UNC path. The DLL loads directly into memory with no file written to disk.

The overlay tells the user to press Win+R, Ctrl+V, and Enter... the victim runs it willingly, believing it to be a routine check.

In some cases, the malware was named to trick the user into thinking it was a PDF file, e.g.: fiche de poste.exe ... fiche de candidature.pdf.exe

An attacker can edit that struct in order to manipulate execution on that address by setting the RIP (on x64) register, when resuming from that exception. | On Windows, as specified in MSDN documentation, it is possible to programmatically handle a specific exception by registering a VECTORED_EXCEPTION_HANDLER (VEH), which will manage the execution to handle that condition.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.

The RegAsm process will be spawned in a suspend mode which indicates process hollowing injection... This instruction will write a second shellcode to the RegAsm process.

The DLL loads directly into memory with no file written to disk and no prompt shown.

The RegAsm process will be spawned in a suspend mode which indicates process hollowing injection... the first shellcode creates the RegAsm process and injects a second shellcode into it with a unique variation of the Process Hollowing injection.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.

Next, we see a function named 602F54 ... responsible for accessing the process environment block (PEB) and returning an API call.

The RegAsm process will be spawned in a suspend mode which indicates process hollowing injection... This instruction will write a second shellcode to the RegAsm process.

The DLL loads directly into memory with no file written to disk and no prompt shown.

The RegAsm process will be spawned in a suspend mode which indicates process hollowing injection... the first shellcode creates the RegAsm process and injects a second shellcode into it with a unique variation of the Process Hollowing injection.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The command calls rundll32.exe, a trusted signed Windows tool... Because rundll32.exe is a Microsoft-signed binary, it clears SmartScreen without any warning.

Malware also uses this technique for anti-analysis, an issue we explored in a previous blog post about an advanced anti-analysis techniques discovered in GuLoader.

Now, this register holds the API call EnumWindows ... After we step over the call to EnumWindows, we see the line: cmp eax,c. Using this line the shellcode determines if there are at least 12 ... windows in the machine. If not, the process will be terminated. | Next, we see the function 602038, if we step over it and we’ll see the string “ C:\Program Files\qqa\qqa.exe ”. This is because 602038 functionality is to search whether the Qemu gues agent is located on the machine. | Inside the function 601F28, there is another routine that consists of two anti-analysis mechanisms. Time cheks using RDTSC (Read Time-Stamp Counter), and anti-VM using CPUID. | The function will use the API call ZwQueryVirtualMemory ... scan the process’s memory... Each one of them will represent a string that is related to a Virtual Machine product ... If one of these strings will be found ... the process will create the previously mentioned message box.

Inside the function 601F28, there is another routine that consists of two anti-analysis mechanisms. Time cheks using RDTSC (Read Time-Stamp Counter), and anti-VM using CPUID.

the script allocates 2 memory areas, downloads the data from the link to Google Drive, and saves it to a temporary file “%APPDATA%\Umig.For”.

An attacker can edit that struct in order to manipulate execution on that address by setting the RIP (on x64) register, when resuming from that exception. | On Windows, as specified in MSDN documentation, it is possible to programmatically handle a specific exception by registering a VECTORED_EXCEPTION_HANDLER (VEH), which will manage the execution to handle that condition.

In the next two calls, we see a call to 602F54 which resolves NtSetInformationThread... The second argument is ThreadHideFromDebugger (11), which in this case will cause the process to crash if it's working under a debugger. | In its first lines, the shellcode gets the function DbgBreakPoint ... writes the byte 90 into it... Then, the shellcode will do the same with DbgUiRemoteBreaking ... every time a breakpoint will be happening the process will be terminated. | In this technique, the shellcode will get the API call to be executed from the EAX register ... and will inspect if any software breakpoints assign to it. If it has any software breakpoint, it will have one of the breakpoint opcodes(for example, 0xCC which means INT 3). | The shellcode will compare any of these registers to the number 0, if one of them is not 0 that means there is a hardware breakpoint. In this case, the shellcode will jump ... and the process will be terminated.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Malware also uses this technique for anti-analysis, an issue we explored in a previous blog post about an advanced anti-analysis techniques discovered in GuLoader.

Now, this register holds the API call EnumWindows ... After we step over the call to EnumWindows, we see the line: cmp eax,c. Using this line the shellcode determines if there are at least 12 ... windows in the machine. If not, the process will be terminated. | Next, we see the function 602038, if we step over it and we’ll see the string “ C:\Program Files\qqa\qqa.exe ”. This is because 602038 functionality is to search whether the Qemu gues agent is located on the machine. | Inside the function 601F28, there is another routine that consists of two anti-analysis mechanisms. Time cheks using RDTSC (Read Time-Stamp Counter), and anti-VM using CPUID. | The function will use the API call ZwQueryVirtualMemory ... scan the process’s memory... Each one of them will represent a string that is related to a Virtual Machine product ... If one of these strings will be found ... the process will create the previously mentioned message box.

Inside the function 601F28, there is another routine that consists of two anti-analysis mechanisms. Time cheks using RDTSC (Read Time-Stamp Counter), and anti-VM using CPUID.

Using other pre-computed hashes, the shellcode searches for installed products with the API MsiEnumProducA and MsiGetProductInfo.

In the next two calls, we see a call to 602F54 which resolves NtSetInformationThread... The second argument is ThreadHideFromDebugger (11), which in this case will cause the process to crash if it's working under a debugger. | In its first lines, the shellcode gets the function DbgBreakPoint ... writes the byte 90 into it... Then, the shellcode will do the same with DbgUiRemoteBreaking ... every time a breakpoint will be happening the process will be terminated. | In this technique, the shellcode will get the API call to be executed from the EAX register ... and will inspect if any software breakpoints assign to it. If it has any software breakpoint, it will have one of the breakpoint opcodes(for example, 0xCC which means INT 3). | The shellcode will compare any of these registers to the number 0, if one of them is not 0 that means there is a hardware breakpoint. In this case, the shellcode will jump ... and the process will be terminated.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

First, we see a call to a location in the stack ... that will execute the function InternetOpenUrlA, we also see the C2 it will use... the second shellcode downloads further malware.

When executed, it establishes a connection to an external file share, typically via WebDAV, to download an LNK or VBS file.

the job-themed malware in July was observed in paths suggesting it had been mounted as CD-ROMs... it could also be that a malicious ISO file was delivered to victims and mounted.