The GuLoader threat is an interesting mix of a loader, which can inject various threats on the compromised host and a regular Trojan downloader. This sophisticated tool appears to be utilized by various cybercriminals and hacking groups. According to reports, the GuLoader threat has been used to plant cryptocurrency miners, RATs (Remote Access Trojans), backdoor Trojans and other threatening malware. In the most recent campaigns, the GuLoader malware was used to inject the Parallax RAT and the Remcos RAT in the compromised hosts.
The infection vector most commonly used for the spreading of the GuLoader malware is phishing emails. Usually, the targeted user would receive an email that appears to originate from a legitimate source. These fake emails often contain an attached file that is designed to look important – CV, invoice, documents, etc. Highly-skilled cybercriminals use more sophisticated methods of obfuscation compared to their less-experienced counterparts:
Cyber crooks with a lot of experience in the field would use a macro-laced document that is designed to exploit vulnerabilities in Microsoft Office. Upon opening the corrupted document, the users will be asked to 'Enable Editing' – if they do so, they will allow the GuLoader malware to compromise their computers.
Cybercriminals who are not as advanced are likely to use the double extension method. Windows hides file extensions by default, so that the attackers may name the corrupted file 'CV.pdf.exe,' but the user will only see 'CV.pdf' and may end up opening the fraudulent attachment.
The GuLoader malware is able to detect whether it is being run in a sandbox environment or a regular computer. In case the threat detects any malware debugging software being present on the compromised system, it will halt all activity.
To avoid detection, the GuLoader threat uses a technique known as 'process hollowing.' This means that the GuLoader malware would mask itself as a legitimate process, and security tools may not be able to spot its harmful activity. Next, the GuLoader threat will connect to the attackers' C&C (Command & Control) server and download the threatening payload it is meant to introduce to the infected host.