On March 29, 2023, CrowdStrike posted a blog sharing details about a supply chain attack involving a software called 3CXDesktopApp. On the same day, SentinelOne also shared details in relation to the same event. 3CXDesktopApp is a multi-platform application for desktops (Linux, MacOS, and Windows) that allows users to interact via chat, messaging, video, and voice.
The 3CXDesktopApp supply-chain attack started when a threat actor (which CrowdStrike identified to have links with the Lazarus Group) was able to embed arbitrary code into the official build of the software causing individuals and organizations fall victims of a global-scale campaign by downloading and running the 3CXDesktopApp installer from the developer’s website. Both Microsoft Windows and MacOS users were targeted as both the Windows and Mac versions were compromised.
On a Windows system, the MSI installer (3CXDesktopApp-18.12.416.msi, 3CXDesktopApp-18.12.407.msi) is designed to extract several files and to execute the file 3CXDesktopApp.exe which in turn loads a malicious library file named ffmpeg.dll (corresponding to the MD5 hashes 74bc2d0b6680faa1a5a76b27e5479cbc and 27b134af30f4a86f177db2f2555fe01d).
THE KILL-CHAIN
The DLL appeared to be originally compiled on Nov. 12, 2022, suggesting a long-term preparation of the attack. ffmpeg.dll was the first file on which I focused my attention. Within it I noted the function named dllmain_dispatch that appears as a custom implementation wrapping the standard DllMain function (basically called by the operating system when a DLL is loaded or unloaded). The function checks if the reason of the call is DLL_PROCESS_ATTACH or DLL_PROCESS_DETACH it calls the function sub_18004E250
sub_18004E250 is a wrapper of sub_18004DE60. The latter is basically designed to :
create a new event named “AVMonitorRefreshEvent”
2. search and load another malicious component named d3dcompiler_47.dll
3. Identify within it an encrypted payload having 0xC3FAEDFE as marker
4. Decrypt the payload-RC4-stream using the key 3jB(2bsG#@c7
5. Use the VirtualProtect() function to alter the memory access permissions
The decrypted payload appears to act as another loader that is designed to wait for certain amount of days before contacting a GitHub repository retrieving .ICO files having encrypted C&C strings within them.
The final payload appears to be a stealer able to extract and data from popular web browsers. This one, at time of writing, is not in my availability.
MAGNITUDE OF THE EVENT
In the threat intelligence vertical, global telemetries are often used to assess the impact of a given campaign on a global scale; In this regard I have a certain degree of visibility (always considered partial and never complete) on the global diffusion of certain hashes as well as on the malicious network infrastructures they use. As already mentioned, the first files I focused on was the ffmpeg.dll one and the corrisponding hashes (74bc2d0b6680faa1a5a76b27e5479cbc and 27b134af30f4a86f177db2f2555fe01d). According to my visibility, the malicious toolset has been first observed on March 27, 2023 in Belgium, United States, Germany, Netherlands, Turkey and Israel impacting above all the Manifacturing, Industry, Finance, Hospitality and the Technology sectors (the latter at lower percentages). However, this data is to be considered not very indicative of the start of this campaign as the first detection signatures were massively released on that day. In fact researchers at Unit42 confirm the observation of SmoothOperator-linked artifacts as early as March 09, 2023. Map is derived by signature-based detections:
From my side, there is instead a very different situation if we instead consider telemetry based on malicious network infrastructures. SmoothOperator campaign leveraged on different domain names as Command and Control. They can be easily retrieved from the blog posts already reported above from CrowdStrike, SentinelOne and Unit42.
For example, if we considered the domain name msstorageazure[.]com, according to my visibility, it’s possibile to observe the first SmoothOperator-linked request to this domain starting on Feb. 10, 2023 (not necessarily indicating an active infection, but gives an idea of the time span of activity). Global resolution telemetries over this domain, up to March 29, 2023, confirms the Countries reported previously as potentially impacted, adding Spain, Canada, Portugal, Brazil, Austria, Switzerland, India, Thailand, Sweden and Australia.
The resolution telemetries (we are referring to devices that have communicated with malicious network infrastructures) for the domain akamaitechcloudservices[.]com add also Italy to the countries potentially impacted as on Feb. 17, 2023 resolution requests from this Country have been observed, referring at least to the Industrial and Manufacturing sectors.
According to the visibility I can dispose of, the final map of the proportions of this event is as follows:
Note that the maps refer to telemetry data which does not necessarily indicate an active infection in progress but an entity that has communicated with an infrastructure controlled by the threat actor. They are from before March 29, 2023.
CONCLUSIONS
3CXDesktopApp is a very used software and for this reason the SmoothOperator campaign received a lot of attention from the cyber security community. The potential damage caused by this supply-chain attack is very extensive and the effect of a compromise can be serious including the theft of data and sensitive information.
ARGUEPATCH is a patched version of a legitimate component of the Hex-Rays IDA Pro software. In detail it’s the remote IDA debugger server named win32_remote.exe and it’s basically designed to act as a loader by reading and decrypting an encrypted payload written to disk (CaddyWiper). It has been used against Ukrainian targets in destructive attacks and it’s believed to be linked with the Russian threat actor known as Sandworm (aka BlackEnergy).At the time of writing several Caddywiper-related analyzes can already be found on the net but none seem to delve into what happens in its loader. Having worked on this malware family in order to hunt for similar samples I decided to share a quick analysis that led to the creation of a hunting YARA rule.
INSIGHTS
This piece of malware it is not complex in its logic; The loader expects to be launched with two parameters from the command line. The first represents the decryption key and the second the path of the payload on the disk. Immediatly after the execution smong the first interesting things it goes to dynamically resolve the shell32.CommandLineToArgW and kernel32.GetCommandLine API functions.
It calls the latter in order to retrieve the parameters with which the executable has been launched and shell32.CommandLineToArgW in order to parse the command line string and get an array of pointers to the command line arguments. The next operation of interest is the resolving of kernel32.ReadFile and kernel32.GetFileSize API functions in order retrieve and work on the encrypted CaddyWiper payload written on the disk (pa.pay).
Below the image as this payload appears in its original encrypted form
As said the primary job of such malware is reading, decrypting and executing the CaddyWiper payload. Regarding this task it’s possibile to observe the execution on 00471B04. Here one byte from the input key (JRIBDFIMCQAKVBBP) is used to decrypt the payload as reported above.
As result a decrypted payload as shown following can be observed
At this point we land on real CaddyWiper payload. Even here the malware goes to retrieve several API function that will need to operate on various areas of the affected systems like FindFirstFileA, FindNextFileA, CreateFileA, WriteFile etc.etc. after to have retrieved the machine role via DsRoleGetPrimaryDomainInformation.
At this point the malware starts its job by iterating through files on the system and replacing their contents with null-bytes (\x00). It’s starts by looking for files under %SystemDrive%\Users and continuing to logical drives D:\ up to Z:\. Disk partitions from //./PHYSICALDRIVE9 to //./PHYSICALDRIVE0 are the last to be impacted.
THREAT HUNTING
In this analysis we observed an essential point of the execution chain. It allows the loader to decrypt and execute the real payload of the attack. In my opinion indeed one good point to hunt for threats similar to the ArguePatch version described here is at sub_471B04. According with the logic of the executable this function is needed to recover the malicious payload and ensure that the targeted systems are impacted.
Creating a rule on this code fragment (reported following) is then useful for the hunting of similar payloads:
What we today define “ransomware” at the beginning were basically screen lockers demanding a ransom from the victim (“Your PC contains illegal content and cannot be used …“).
In relation to the increasing revenues they are able to generate, in recent years they have become one of the fastest growing classes of malicious software in the cyber threat landscape.
Lately, moreover, almost all of the interventions and articles on “cyber” topics were related to this category of malware as a result of a specific attack against Colonial Pipelines Inc. which caused countless economic losses and inconveniences of any kind in the States.
In face of first rivers of ink spilled on the incident itself and then on the group responsible for the attack (- note it was one of the group’s affiliates and not the same dev team of the #DarkSide ransomware -) they are not missing, here and there, articles / advice / posts by experts on how to defend against this type of malware.
The plethora of suggestions given, however, in my opinion have rarely been placed within a strategic context and almost always indicated as a list of specific actions to be performed.
The individual items of these lists, although singularly impeccable from a theoretical point of view (such as “installing a good antivirus” and “applying risk management processes“), can be difficult to apply in practice if not placed in a well-defined context that pursue a specific purpose; this purpose should the contrast and mitigation of extortion-oriented attacks and much more generally the enhancement of one’s defensive capabilities.
Finally, considering the famous phrase – “It is not possible to be 100% protected from malicious code” – it is also clear that a valid defensive solution cannot be based exclusively on the adoption of the latest AV / EDR technologies (more or less sophisticated) nor much less on tricks and / or tips of the last minute.
Survival Skills:
Implementing a good defense program against these threats is undoubtedly an active and continuous process over time that involves the strengthening of at least five (5) internal capabilities.
They are:
Prevention: prevent the exploitation of infrastructure weaknesses and / or vulnerabilities through processes for updating, hardening and control of public information (social networks, public managers / employees profiles, job descriptions …) Technically speaking, in some cases, prevention could also mean adopting alternative technologies to those already in place and normally used, for example, for remote access services (VPN / RDP) in order to totally eliminate the growing risks due to the greater attention of criminal groups against them (0day research, 1 day exploit and theft / sale of access credentials on clearnet / darknet). Their potential compromise, in fact, could be catastrophic for the environment to be protected and provide an advantage that is difficult to recover on a defensive level as these services are often designed to interface directly with corporate intranets.
Detection and Protection: represents the ability to protect your assets from potentially adverse events by acquiring the ability to detect and contain a threat. As for the malicious code, the protection of your assets certainly includes the adoption of an AV / EDR, execution prevention systems, sandboxes etc.etc.
Resistance: indicates the ability to face and / or minimize the effects of an unknown or particularly stealthy threat and which has a high possibility of representing a concrete risk. It involves the implementation of concepts such as the separation of environments, the reduction of the potential attack surface, the identification of critical services and more stringent access control to them, etc. etc.
Resilience: indicates the ability to recover after an accident. Knowledge (SA – Situational Awareness): it means clearly understanding what to defend against in relation to our perimeter as well as the tactics and procedures implemented by the opponents and the consequent adoption of a defense strategy.
Knowledge (SA – Situational Awareness): it means clearly understanding what one must defend against in relation to our perimeter as well as the tactics and procedures implemented by the adversaries and a consequent adoption of a defense strategy.
Ransomware…pays off:
The Covid-19 pandemic has been very useful for the “ransomware” business. In general the higher revenues of many criminal groups (tripled, according to some estimates, compared to the pre-covid period) are due to the inability of many organizations to adapt to a de-centralized work model after a large percentage of their the workforce begun to operate outside a defined perimeter (the classic corporate one).
However, in many cases, it should be noted that the extension of the attack surface as a direct consequence of the new “smart-workers” not actually created a “new” problem from scratch but has often magnified one that was present even previously. This problem is mainly due to the lack of equipment (not only in the technological field but also in the procedural and internal policies ones) with which many companies fight these threats.
The most typical and widespread weakness observed during the analysis of some incidents was to focus (or limit) these defense on few points compared to the five (5) listed above. Closely related to what the “classic” cyber-security industry proposes, very often the one and only line of defense is delegated to AntiVirus / EDR and “Monitoring Operations“, thus concentrating all the contrast strategy in the already described capacity of “Detection and Protection“.
In consideration of the fact that even the most modern anti-malware solutions available on the market cannot guarantee detection rates even close to 100% (without considering the context on the basis of which an adversary arrives to operate within our perimeter) itìs evident that relying exclusively on them may not be enough.
Survival vs Kill Chain:
All the intrusions that arrive at a ransom request have effectively closed the so-called “Kill-chain”. The kill-chain virtually represents a series of steps (or rings), precisely, concatenated, and in general, simplifying, they are:
1. Information gathering
2. First access and early-stage payload delivery
3. Lateral movement
4. Late-stage payload delivery
Closing this chain often means, for the victim, having to pay an expensive ransom to get back its data and documents. An effective contrast strategy will therefore provide for the direct mitigation of the potential risks deriving from each single phase (or ring) of this kill-chain, directing, with a more strategic vision, one’s work towards the five (5) points identified before.
Information Gathering: In this phase, attackers seek and hunt potential victims by acquiring information about them. While only some time ago the approach to choice seemed to be quite casual and a direct consequence of the general external posture of the organization to hit (in the sense that robbing a shop is generally easier than robbing a bank) now the trend seems to be moving towards a much more targeted decision, so as to be able to ask for very substantial ransoms once the operation succeed. Under the heading of “Prevention“, fall the set of activities aimed at not exposing the side to such attacks by trying to contain the information released (voluntarily or not) on social networks and public profiles of the company. In this regard, Security Awareness programs are particularly useful. Information sources (threat intelligence) designed to increase the levels of Situational Awareness of the staff in charge of network protection can also be particularly useful.
First Access / Early-Stage payloaddelivery: In this phase, the attacker is able to obtain a first access to the perimeter. In order to make their life as difficult as possible it is necessary to correctly apply hardening and patching programs to the systems. Technically limiting the potential attack surface, applying multiple authentication systems, blocking the execution of macros and scripting languages that are not strictly necessary, checking permissions, logically limiting the communications of internal workstations are all useful factors for an Incident Prevention strategy. If the attacker still manages to deliver a first-stage payload and therefore to obtain a first access to our infrastructure, the adoption of policies aimed at obtaining greater visibility regarding what is happening (for example: alerts on login credentials anomalies, alerts on changes to accounts in the AD – Active Directory -, alerts on malicious DNS resolutions, alerts on network flow anomalies – Firewall Logs -, alerts on IDS / IPS events and so on…) is useful to strengthen our Detection and Protection skills. EDR / AV and SIEM support these skills as well.
Lateral movement: In this phase, the attacker managed to effectively compromise one or more machines inside our infrastructure and aims at expanding his/her control. If the defenses put in place up to now have proved ineffective, a further protective barrier capable of mitigating what is in place could be represented by the application of strong network segmentation policies of the environments. A further critical factor that can significantly increase our Resistance skills is the application of Behavior Analytics Systems.
Late-stage payload delivery: If the strategies applied so far have proved particularly ineffective in combating a so advanced and persistent adversary, we could suffer the effects of the last phase of a ransomware-kill-chain, that is the release of the last stage payload, the one that will probably be in charge of encrypting our data and information. Most likely the attacker already got the full control of several internal machines and probably also obtained “admin–grade” credentials. Based on my personal experience, therefore, if we are at this point there is little chance that the Detection and Protection systems can effectively mitigate the course of events. The best defense at this point is to have a good backup of all data, files, applications and any other critical resources. These backups must obviously be isolated from other systems.
Conclusions:
The ransomware business is particularly profitable. Considering the revenues it generates, it’s possible to assume possible to assume much more frequent and sophisticated attacks. The application of defensive measures in the various stages of the kill-chain, however, can reduce the risk of a full data loss (and to rely exclusively on negotiations with criminals to recover them).
This content was originally written by me for SOC Prime, Inc. You can view the original article with detection rules here or read on for a local version.
Introduction
On August 2020 a new type of malware, belonging to the Ransomware category, appeared in the cyber threat landscape. Threat actor responsible for its development called it “DarkSide” and , like others piece of malware of this type, is operated in Big Game Hunting (BGH) campaigns. Around more or less the same time, a DLS (Dedicated Leak Site) was made available on the darkweb (behind the TOR network) in order to report the first victims.
On their DLS, DarkSide operators claimed to be experienced in conducting cyber operations, having previously used other , not better identified, ransomware variants. Indeed, some characteristics of their operations support the hypothesis that the group could be a former affiliate of some other R-a-a-S (Ransomware as a Service) program that chosen to write their own ransomware likely to avoid sharing the profits of criminal activities with third parties.
Insights
DarkSide is a well-written malware family not much changed if compared to the first versions analyzed. Usually the samples belonging to this family present, as already reported in other technical tearticles, some functionalities aimed at making the analysis more harder. Indeed, in a recent sample (sha256:17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61), at 0040182A we find a sub aimed at dynamically resolving DLLs and API through LoadLibrary / GetProcAddress. sub_4016D5, sub_4013DA and sub_401AC3 are also involved in this process. The following screenshot shows a chunk of code extracted from the whole function designed for this purpose:
This can be an useful place to create a code-chunck based Yara rule aimed at hunting further variants of the same malware family. After having selected two representative chuncks we can obtain something similar to the following:
Darkside employs also techniques for privilege escalation and UAC (User Access Control) bypass. The technique observed in this case is known as CMSTPLUA UAC Bypass and exploits the ShellExec function by CMSTPLUA COM interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}. This allow to start a process with elevated permissions, according to the following graph:
Powershell is used in order to delete shadow copies preventing the recovery of previously backed up files through them according to the following syntax:
After the encryption phase, Darkside is designed to communicate to its command and control server in order to share details relating to the victim (victimID) as well as further parameters useful for recovering encrypted files and identifing the affiliate. Most probably these network capabilities have been added in order to support the R-a-a-S model. In the analyzed sample, the CnC (Command and Control) is attested over the domain name securebestapp20.com. Detecting network activities potentially related to this threat could therefore involve writing SNORT rules similar to the following:
alert udp $HOME_NET any -> any 53 (msg:”DNS request for a blacklisted domain ‘securebestapp20.com'”; content:”|0f|securebestapp20|03|com|00|”;nocase; reference:url,https://www.emanueledelucia.net/; sid:[SID HERE]; rev:1;)
This domain name has been created on 16/09/2020 and, according to my visibility, at time of writing it has an history of two (2) A record associated. The interesting one is linked to the IP 185.105.109.19. Could be interested to note that the pDNS count value for this domain name from 21/09/2020 (day of first observed resolution to 185.105.109.19) to 05/01/2021 (day of last observed resolution to 185.105.109.19) is less than 180 and that most of them occurred from early November until today. This suggest a growth of the spread and obviously of the R-a-a-S business as well. In general, moreover, this number is also consistent with the low overall volume of DarkSide campaigns observed at least until mid-November 2020. This is further confirmed by the payload-side visibility I can dispose of for this malware family. Following are shown detection hits for DarkSide malfamily up to December 2020:
Welcome to Darkside
On 11/10/2020 a user posted an announcement titled “[Affiliate Program] Darkside Ransomware” on a Russian-speaking darkweb forum. The text contained in that post officially started the project’s affiliate program. Press articles has been used in order to advertise the program itself as well as the skills of the group that are “aimed only at large corporations” as originally posted by threat actor itself:
In the affiliate program are not welcome, among others, English speaking personalities, employees of the secret service, security researchers, the greedy (at least so I seem to understand) etc.etc.
There are, moreover, some rules to be respected, like avoiding to target entities within countries belonging to the CIS (Содружество Независимых Государств), including Georgia and Ukraine, or those operating in education, medicine, public and non-profit sector.
As you might imagine for any other job, there is a selection to go through in order to be included in the program. This includes an interview to check the candidate’s skills and experiences, such having been affiliated with some other program previously.
The group offers a Windows and Linux version of DarkSide ransomware plus an admin panel, a leak site and a CDN system for data storage.
So, do you have ESXi ?
At the end of November 2020, a Linux variant (ELF64) of DarkSide ransomware was uploaded to a well-known online malware repository. It had a detection rate, at the time of upload, practically non-existent. Even at time of writing (Jan 2021) the detection rate is very low (2/63). It seems to have a quite different purpose respect to the Windows counterpart. While the latter is born to encrypt all user files on a workstation (documents, images, PDFs and so on…), the Linux version has been created to damage virtual machines on servers. Indeed, the samples looks for extensions related to VMWare files like .vmdk, .vmem, .vswp and generic logs formats.
The ransom note is similar to the Windows one
and the output of the executable, once launched, confirms the focus on ESXi environments
as /vmfs/volumes/ is the default location of ESXi virtual machines.
A strict Yara rule similar to the following can help in identifying Linux variants of DarkSide :
rule DarkSide_Ransomware_827333_39930 : CRIMEWARE { meta: author = “Emanuele De Lucia” description = “Detects possible variants of Linux DarkSide ransomware variants” hash1 = “da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5” strings: $ = “vmdk,vmem,vswp,log” fullword ascii $ = “XChaCha20” fullword ascii $ = “Partial File Encryption Tool” fullword ascii $ = “main.log” fullword ascii condition: (uint16(0) == 0x457f and all of them) }
Also for the Linux version, communications to the outside world take place through the same domain name previously reported and a specially crafted URL for each victim. Through Sigma it’s possible to write rules aimed at detecting DNS resolution requests to domain name where actually the command and control is attested:
title: Detects resolution requests to DarkSide Command and Control domain name status: stable description: Detects resolution requests to DarkSide Command and Control domain name references: – https://www.emanueledelucia.net/fighting-the-darkside-ransomware/ author: Emanuele De Lucia date: 2020/12/01 tags: – attack.t1071.001 logsource: category: dns detection: selection: query: – ‘securebestapp20.com’ condition: selection falsepositives: – internal research level: high
Adversary Profile
From mid-November 2020, following the affiliation program, it’s currently more difficult to associate the exclusive use of DarkSide ransomware to a specific threat actor. However, some similarities with Revil suggest that its developer may be familiar with this solution until speculating that it may be from a former Revil affiliate who, to have more control over the operations and not to divide the profits, launched his own project, further enhanced by an independent affiliate program.
Regardless the specific actor behind the operations, DarkSide can be delivered via several vectors usually after gathering information about the target. According to my visibility, at least one threat actor who used DarkSide adopted the phishing technique (T1566) in order to deliver a first-stage payload whose exploitation finally allowed the distribution of DarkSide variants within the victim environment. Other intrusion techniques involve exploiting vulnerabilities in exposed applications (T1190) in order to get a first foothold from which to perform lateral movements.
MITRE ATT&CK
Technique
Tactic
Description
T1190
Access
Adversaries may attempt to take advantage of a weakness in an Internet-facing application using software, data, or commands in order to cause unintended or unanticipated behavior.
T1566
Access
Adversaries may send phishing messages to gain access to victim systems.
T1059.001
Execution
Adversaries may abuse PowerShell commands and scripts for execution.
T1059.005
Execution
Adversaries may abuse VBS scripts in order to perform tasks on the victim’s machine.
T1548.002
Privilege Escalation
Adversaries bypass UAC mechanisms to elevate privileges on system.
T1218.003
Defense Evasion
Adversaries abuse CMSTP to proxy execution of malicious code.
T1140
Defense Evasion
Adversaries uses obfuscated files or information to hide artifacts of an intrusion from analysis.
T1083
Discovery
Adversaries enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1057
Discovery
Adversaries attempt to get information about running processes on a system.
T1071.001
Command and Control
Adversaries may communicate using application layer protocols associated with web traffic.
T1486
Impact
Adversaries encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
T1489
Impact
Adversaries stop or disable services on a system to render those services unavailable.
During research and analysis activities on Q3 2020, has been possible to observe a continued activity from GuLoader while it was spreading different types of malware payloads. GuLoader is a quite well made software (or “malware”) protector and downloader. However, it’s mainly used to spread wordwide different kind of malicious artifacts.
Despite this piece of malware garnered widespread popular attention for having been related to an Italian company by a Check Point research paper, the audience of threat actors currently using it does not seem to have been affected in any way by the news.
What is GuLoader ?
GuLoader is a piece of software very well rooted in the malware business. It is a relatively new service aimed at replacing traditional packers and encryptors and has been widely adopted in the criminal underground.
It basically acts as a dropper (usually retrieving the final payload from an hardcoded URL) and therefore is part of those categories of malware that are able to deliver and spread other ones. However, the company that deals with its development and maintenance has also designed a variant capable of carrying its payload embedded in the sample itself instead of retrieving it from a URL. This is named “DarkEyE Protector“.
Anyway, one of the distinguishing features of the original GuLoader dropper is precisely that it uses URLs to download and execute further malicious components. Most of these URLs used by the malware refer to well-known cloud services like Google Drive and Microsoft OneDrive.
The typical behavioral pattern of infections attributable to GuLoader could be represented by the following graph:
Basically, an initial dropper delivered through malspam campaigns is designed to download an execute further malicious payloads.
How does it technically work ?
Long story short, I have summarized in a simplified graph the behavior of the typical GuLoader implant (please note the icon of paradise for the “Heaven’s Gate” technique :] ) as observed in the months of June and July 2020.
This software is constantly evolving, so some relationship could change from version to version but in principle it should cover a good percentage of the samples in circulation.
This graph is shown below:
How is GuLoader’s health after the media attention ?
It seems quite well! According to the visibility I have, starting from the beginning of July 2020, a total of 505 unique URLs can be linked to the threat in question. Among these we find the use of Google Drive, Microsoft OneDrive, compromised websites and infrastructures built specifically for this by threat actors.
The following graph shows a breakdown statistic in respect to the type of URLs observed in delivering final payloads starting from a GuLoader sample (note: “Others” includes compromised websites and actor controlled infrastructure):
As for the final payloads served by this dropper, below is another graph relating to the five (5) most common malware families observed (always according to the visibility I can personally dispose of):
Conclusion
This software, to date, still helps threat actors with low or no deep technical skills to evade common detection systems and carry out malicious campaigns aimed at collecting credentials, private information and in obtaining unauthorized access and control of the victim environments.