Gelup
The well-known cybercriminal group TA505 carried out another attack in July 2019. This time it was observed deploying two downloader tools. In analyzing the first one (FlowerPippi), researchers found another downloader malware being distributed using the same spam campaign. This malware is called Gelup and is threatening because of its detection avoidance features mainly.
Table of Contents
Why the Gelup Malware is Threatening
The Gelup Malware is written in C++ and is a downloader malware. Once it gains access to a system, it can also be told to download other files, execute them using two different methods, load libraries from them, and uninstall itself. The Gelup Malware is being distributed using spam emails containing .doc and .xls attachments. These documents have corrupted Visual Basic for Applications (VBA) macros. When someone opens one of these attachments, the macro runs and attempts to infect the system with the Gelup Malware.
How the Gelup Malware Works
The Gelup Malware infects a system by using a complicated method to gain access to the system while avoiding detection and bypassing User Access Control (UAC). It achieves UAC-bypass by faking trusted Windows directories, abusing elevated executables, and using DLL side-loading techniques.The Gelup Malware uses a common technique called "anti-static analysis" to resolve Windows application programming interfaces (APIs), which give it the access it needs to carry out its attack. In the first part, it uses a hash just before calling the API. The second part of this technique relies on strings in the malware being decrypted at runtime.
It also uses "anti-dynamic analysis," which is done by looking for analysis tools and checking whether it is running in a normal environment, debug environment, or an emulator or sandbox. The Gelup Malware then uses a complicated set of steps to install itself onto the system. First, it will test whether it is the first infection on the system by checking to see if "%AppData%\MSOCache" has already been created. Next, it checks whether the current user or account is a Guest account. If so, the malware creates a new file called "%AllUsersProfile%\{RANDOM}.exe," that contains a copy of itself. It also sets itself in the registry's "Run" key. If the current user or account has regular privileges, it moves on to bypass UAC. Once the Gelup Malware has the permissions and access it requires, it can begin communicating with its C&C server and downloading other malware.
How to Protect Yourself from the Gelup Malware
The Gelup Malware is being distributed using a spam campaign targeting systems in the Middle East, Japan, India, the Philippines, and Argentina. These spam emails can be sent to you by an account spoofing a known contact and usually contain a short message like "PFA Invoices & DOs FOR YOUR REFERENCE." The spam email contains an MS Office document named something like "Invoice-5601.doc".
To keep your system safe and clean, never download or run any attachment unless you are absolutely certain where it came from. Additionally, double-check sender email addresses when downloading an attachment, and make sure the attachment makes sense in the context of the email. Sometimes malware on the sender's system can attach files to their emails without them noticing.
You should always keep regular backups of all your data. Despite your best efforts, there is always a risk of corrupted scripts being run on your system and compromising it. By keeping regular backups, you have the option to restore your system to a clean point, rather than formatting the disk and starting completely fresh.
