Introduction Malicious spam (malspam) pushing GuLoader malware has been around for over a year now. GuLoader is a file downloader first observed in December 2019, and it has been used to distribute a wide variety of malware, especially malware based on remote administration tools (RATs). I wrote a blog last year examining malspam using GuLoader for Netwire RAT. And GuLoader activity has continued since then. Today's diary reviews a case of malspam pushing GuLoader for Remcos RAT on Tuesday 2021-02-23.
The malspam
The malspam is supposedly from someone in Lowes from Canada. Below are some email headers associated with this message. Received: from rz-medizintechnik.com (unknown [185.29.11.66])
Date: 23 Feb 2021 07:18:05 +0100 From: CHIRAG MARCUS <chirag.m@lowes-ca.org> Subject: New Quotation 2021 Message-ID: <20210223071804.247143D567E6DCFA@lowes-ca.org>
The attachment I opened the attachment in my lab, but I was on a Windows 10 host running a recent version of Microsoft Office. Initially, I didn't realize this was a document with an exploit targeting CVE-2017-11882. I had to switch to an older Windows 7 host to get an infection.
The infection traffic Infection traffic was typical for what I've seen with previous GuLoader infections for some sort of RAT-based malware. In this case, the infected Windows host was unable to establish a TCP connection with the server used by this sample for Remcos RAT.
Forensics on the infected Windows host The infected Windows host had GuLoader persistent on the infected host using a registry update. When rebooted, the GuLoader sample again retrieved the encoded binary for Remcos RAT.
Indicators of Compromise (IOCs) Associated malware: SHA256 hash: 21c4c697c6cba3d1d7f5ae5d768bf0c1d716eccc4479b338f2cf1336cf06b8ad
SHA256 hash: 6141efb6f1598e2205806c5a788e61c489440dfc942984ee1688bb68ad0f18df
Infection traffic: GuLoader EXE retrieved through CVE-2017-11882 exploit:
GuLoader retrieves encoded data for Remcos RAT:
Remcos RAT post-infection traffic:
Final words We continue to see new malware samples using exploits based on CVE-2017-11882 in the wild. This vulnerability is over 3 years old, and exploits targeting it are not effective against the most recent versions of Microsoft Windows and Office. The only reason we continue to see these new samples is because distributing exploits based on CVE-2017-11882 remains profitable. That means a substantial number of people still use outdated versions of Microsoft Office and/or Windows that are not properly patched or updated. GuLoader has been a relatively a constant presence in our threat landscape since it was discovered in December 2019, so I expect we'll also continue to see new samples for various RAT-based malware in the weeks and months ahead. --- Brad Duncan |
Brad 394 Posts ISC Handler Feb 24th 2021 |
Reply Subscribe |
Feb 24th 2021 2 days ago |
Sign Up for Free or Log In to start participating in the conversation!