A GuLoader health check: Q3 2020 activity of the {il}legitimate Italian malware downloader

During research and analysis activities on Q3 2020, has been possible to observe a continued activity from GuLoader while it was spreading different types of malware payloads. GuLoader is a quite well made software (or “malware”) protector and downloader. However, it’s mainly used to spread wordwide different kind of malicious artifacts.

Despite this piece of malware garnered widespread popular attention for having been related to an Italian company by a Check Point research paper, the audience of threat actors currently using it does not seem to have been affected in any way by the news.

What is GuLoader ?

GuLoader is a piece of software very well rooted in the malware business. It is a relatively new service aimed at replacing traditional packers and encryptors and has been widely adopted in the criminal underground.

It basically acts as a dropper (usually retrieving the final payload from an hardcoded URL) and therefore is part of those categories of malware that are able to deliver and spread other ones. However, the company that deals with its development and maintenance has also designed a variant capable of carrying its payload embedded in the sample itself instead of retrieving it from a URL. This is named “DarkEyE Protector“.

Anyway, one of the distinguishing features of the original GuLoader dropper is precisely that it uses URLs to download and execute further malicious components. Most of these URLs used by the malware refer to well-known cloud services like Google Drive and Microsoft OneDrive.

The typical behavioral pattern of infections attributable to GuLoader could be represented by the following graph:

Basically, an initial dropper delivered through malspam campaigns is designed to download an execute further malicious payloads.

How does it technically work ?

Long story short, I have summarized in a simplified graph the behavior of the typical GuLoader implant (please note the icon of paradise for the “Heaven’s Gate” technique :] ) as observed in the months of June and July 2020.

This software is constantly evolving, so some relationship could change from version to version but in principle it should cover a good percentage of the samples in circulation.

This graph is shown below:

How is GuLoader’s health after the media attention ?

It seems quite well! According to the visibility I have, starting from the beginning of July 2020, a total of 505 unique URLs can be linked to the threat in question. Among these we find the use of Google Drive, Microsoft OneDrive, compromised websites and infrastructures built specifically for this by threat actors.

The following graph shows a breakdown statistic in respect to the type of URLs observed in delivering final payloads starting from a GuLoader sample (note: “Others” includes compromised websites and actor controlled infrastructure):

As for the final payloads served by this dropper, below is another graph relating to the five (5) most common malware families observed (always according to the visibility I can personally dispose of):


This software, to date, still helps threat actors with low or no deep technical skills to evade common detection systems and carry out malicious campaigns aimed at collecting credentials, private information and in obtaining unauthorized access and control of the victim environments.

The mystery of “” : A trick against “TheTrick”

Behind the scenes

TheTrick” is one of the community names with which we can refer to a criminal group that is responsible for the development and distribution of many malware variants, among wich “TrickBot“, “Ryuk“, “Conti“, “BazarLoader” and “BazarBackdoor“.

However, the malware vector mainly used by this adversary is certainly “TrickBot“. TrickBot is a modular piece of malware designed to allow for the inclusion of different malicious features to a starting base. This feature makes it capable of carrying out a lot of activities such as downloading and executing additional payloads, data harvesting, reconnaissance of the victim’s local network, lateral movement etc. etc.

According to visibility of my research group, however, starting from 22 September 2020 someone tried to disrupt the TrickBot botnet pushing a new configuration file to infected hosts that reported the IP address “” as new command-and-control server. is the “localhost” and obviously it’s not routable.

Beyond this, the “version” reported in this bogus file has been set to a value probably used to prevent bots from downloading a new valid configuration.

At first it was impossible to know if this configuration file was pushed voluntarily by the threat actor itself [very unlikely], by white hats attempting to disrupt the botnet, by a security vendor or by some government unit.

Until the configuration is returned to its prior state, TrickBot infected machines have been be unable to communicate with the true TrickBot command-and-control servers. However, what was well understood within my research group (while trying to understand what was happening) is that the entity that was attempting to destroy the TrickBot network had a very good knowledge about the “internals” of this threat.

Finally, on 09 October 2020The Washington Post revealed the mystery by reporting that the TrickBot disruption was the work of U.S. Cyber Command.

Botnet dismantled ?

For now it seems “No”. However, most likely this operation was not aimed at dismantling the Trickbot network permanently but instead at “…distract the adversary for at least a while as they seek to restore their operations…”. This is probably because “…the action was a bid to prevent Trickbot from being used to somehow interfere with the upcoming presidential election…”

Plausibly, operators behind TrickBot network already begun the full recovery of their network and losses. In addition, one of the potential counter-moves that the threat actor could put in place as retaliation for what happened could be an increase in money demands during ransomware-based operations.

In general, the threat landscape associated with this threat actor appears currently very lively. For example I recently came across a variant of Ryuk ransomware (associated with that group’s criminal ecosystem) compiled on September 11, 2020, suggesting a return of this after its development seemed to have been abandoned with the advent of “Conti“.

Very recently, moreover, another malware associated with the same criminal ecosystem, called BazarLoader, has been spread with practical no detection rates. Again I came across and reported on Twitter a variant of them with a detection rate of just 1/69 replying to a @James_inthe_box tweet. (https://twitter.com/James_inthe_box/status/1313523102312087553)

All of this to confirm that the group still seems very active and determined in their operations.

UPDATE: 12/10/2020

Microsoft, with the help of several ISPs around the world, took the TrickBot network down. Participants to operation obtained a court order to take down the TrickBot command and control servers thus avoiding poisoning the control and management mechanisms of agents.