GuLoader is what is known as a Trojan and is used by cybercriminals to download and execute secondary malware payloads. GuLoader has primarily been used to download remote access Trojans (RATs) and other information stealers; some of its common payloads have included FormBook, NanoCore, Agent Tesla, LokiBot, Remcos RAT, and AZORult. GuLoader is also noteworthy for utilizing advanced sandbox detection and evasion techniques that increase its chances of successfully delivering malware payloads.
How GuLoader works
Downloaders such as GuLoader often represent the starting point of a more comprehensive attack, and are frequently one of the first stages of infection when a user falls victim to an exploit kit or opens a malicious email attachment.
GuLoader is a portable executable file written partly in Visual Basic 6 (VB6) that is often embedded in an .iso image or .rar archive, and delivered as part of a malspam campaign. Once executed by an unwitting victim, the downloader attempts to connect to a remote server to download its payload.
Frequently, the remote servers hosting these malicious payloads have been Google Drive or Microsoft OneDrive servers, which demonstrates that malware distributors are integrating elements of commercially available cloud computing services into their delivery networks.
Using legitimate cloud-based storage services in this way isn’t just a convenient option, but a tactical one. Through this approach, GuLoader can evade many forms of network-based detection methods because these cloud storage services are sometimes not inspected in many corporate environments. Additionally, the payloads are frequently encrypted with a hard-coded key, making it unlikely that the cloud-based storage services will be able to identify their contents as potentially harmful.
History of GuLoader
First observed in the wild by security researchers in March of 2020, GuLoader quickly rose to prominence in 2020, and during the summer of that year, with some estimates indicating that upwards of 25% of all packed samples were GuLoaders, and observing hundreds of attacks per day.eports of GuLoader’s continued proliferation endure as recently as February 2021.
