GuLoader VBScript Variant Returns with PowerShell Updates

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

GuLoader is a sophisticated malware loader which has heavily abused tax-themed lures in the first half of 2023. In April 2023, TRU reported on ongoing GuLoader activity using tax-themed lures and decoy files. In the latter half of May, TRU identified an updated VBScript GuLoader variant across multiple customers.

This blog will examine Guloader’s latest VBScript/PowerShell execution techniques in more detail.

Similar to the previous activity, GuLoader execution begins with the user clicking on a shortcut file and launching a PowerShell command, which retrieves a decoy tax document and VBS script.

Next, PowerShell contacts two shortened links, which lead to two files hosted on softmedal[.]com (a file/image sharing site).

The first file is infos.pdf and appears to be a real US income tax form. The PDF is opened with the default app for PDF files (Adobe Acrobat in the above image) and displayed to the user as a decoy.

The second file is Tefor.vbs. Like GuLoader VBScript variants in the past, this is highly obfuscated and contains junk code to impede analysis. The script concatenates hundreds of smaller strings into a single variable which ultimately builds and executes a PowerShell command.

Summary of GuLoader's Execution Chain

Before stepping through each step in GuLoader’s execution chain in more detail, we can summarize the entire process:

1. Tefor.vbs VBScript is executed by the user clicking a shortcut file.
2. First stage PowerShell is executed by the VBScript.
3. BitsTransfer is used to retrieve a payload package containing the second stage PowerShell and two shellcode buffers.
4. Second stage PowerShell is carved out of the payload package and executed.
5. Shellcode A is carved from the package and reflectively loaded.
6. Shellcode B is decoded by Shellcode A and reflectively loaded.
7. Shellcode B is used to retrieve and inject Remcos RAT into a legitimate Windows process such as ieinstal.exe.

First Stage PowerShell

The PowerShell command contains various obfuscated strings, as seen in the right side of Figure 3. These strings are passed to a de-obfuscation function (Sawmo9). This function contains a loop that iterates over each character of the input string (excluding the first and last characters).

In essence, it extracts every other character from the string and concatenates into a variable named $Dryde0, which is returned by the function.

The cleaned-up PowerShell contains less than 30 lines of code and makes up the first stage of GuLoader’s PowerShell execution.

To explain its functionality, we’ve formatted (including renaming some variables for readability) and organized the code into several sections.

Section 1:

• Defines a payload URL (hxxp://194.55.224[.]183/frsh/Remimicra.hhp).
• Defines the path for the 32-bit PowerShell binary on 64-bit systems ($env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe).
• Gets the current process command line string using ((gwmi win32_process -F ProcessId=${PID}).CommandLine) -split [char]34.
• Retrieves and stores second-to-last element from command line array from the last point.
• Assigns a variable that checks if the system is 64-bit and if the 32-bit PowerShell exists in the syswow64 folder.

Section 2:

• If the system is 64-bit and the 32-bit PowerShell exists in the correct path, execute a new 32-bit PowerShell process copying the current process command line as a new argument.
  • This is likely done to reload PowerShell with the full command line argument but with a 32-bit process required for GuLoader’s shellcode.
• Retrieve the next stage from the payload URL defined in Section 1 and save it to AppData\Fasta.ski using BitsTransfer.

Section 3:

• Reads the content of the payload file using the Get-Content cmdlet.
• Base64 decodes the payload content.
• Uses the GetString method of the System.Text.Encoding class to convert and encode a byte array to a string using ASCII encoding.
• Extracts a 19712 characters length substring at index position 205484 then execute it.
  • This string contains the PowerShell to execute GuLoader’s shellcode.

The final section of the first stage PowerShell is where the code diverges from the variant observed in April. Instead of writing more payloads to registry, a single payload package is retrieved that contains both the two-stage shellcode and additional PowerShell commands.

The last section contains the second stage PowerShell code:

Second Stage PowerShell

The code contains non-human readable hex strings. These strings are passed to a decoding function where they are converted from hex to byte and XOR’d with decimal 18. The resulting byte array is converted to an ASCII string and returned by the function.

To speed up analysis, a write-output cmdlet can be inserted into the function to print the decoded strings to the screen during runtime.

Once de-obfuscated, the purpose of the code is to reflectively load GuLoader’s shellcode in memory (the code overlaps heavily with this GitHub repo).

As we saw in the previous variant in April, the code defines two buffers containing shellcode:

Shellcode A

• Copies the first 648 bytes containing shellcode from the payload package retrieved by the first stage PowerShell.
• This shellcode is used to decode the second buffer using key 58 3E 88 D0.

Shellcode B

• Copies 204836 bytes of shellcode from the same payload package beginning at offset 648.
• Once decoded, this shellcode is responsible for fetching Remcos RAT from hxxp://194.55.224[.]183/frsh/iFaeETTILhlw208.bin and injecting it into ieinstall.exe.
• The Remcos RAT identified in this case communicates to zazuservr[.]com over port 9019.

How did we find it?

• The activity was initially identified by eSentire MDR for Network via our global IP address blocklist.
• Our team of 24/7 SOC Cyber Analysts traced the blocked network connections to endpoint telemetry that revealed the full extent of the activity described above.

What did we do?

Based on information from the initial investigation, we conducted additional threat hunts across all customers. This information was used to update our detection content for GuLoader across our customers.

What can you learn from this TRU positive?

• GuLoader is a highly evasive malware loader commonly used to deliver info-stealers and Remote Administration Tools (RATs).
  • GuLoader leverages user-initiated scripts or shortcut files to execute multiple rounds of highly obfuscated commands and encrypted shellcode. The result is a memory-resident malware payload operating inside a legitimate Windows process.
  • Recent GuLoader campaigns employ a topical tax-themed lure as a way of enticing users to click on malicious shortcut files. Tax documents are presented to the victim as a decoy while code is executed silently in parallel.
• Remcos is a commercially available tool marketed as a legitimate Remote Administration Tool (RAT). The tool provides various remote access and surveillance features including keylogging, screenshots and audio recording among other features which make the tool an attractive choice for threat actors.
  • Remcos is best paired with a capable malware loader such as GuLoader to ensure uninterrupted execution on systems where it has not explicitly been installed by administrators.

Recommendations from our Threat Response Unit (TRU) Team:

• GuLoader is actively developed and highly evasive so having multiple layers of 24/7 threat detection and security event monitoring can compensate for gaps across telemetry sources.
• Individuals and organizations should be vigilant when receiving unsolicited emails or messages related to taxes. Train users to identify and report potentially malicious content using Phishing and Security Awareness Training (PSAT) programs.
• Protect endpoints against malware by:
  • Ensuring antivirus signatures are up-to-date.
  • Using a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and contain threats.

Indicators of Compromise

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.