A GuLoader health check: Q3 2020 activity of the {il}legitimate Italian malware downloader

During research and analysis activities on Q3 2020, has been possible to observe a continued activity from GuLoader while it was spreading different types of malware payloads. GuLoader is a quite well made software (or “malware”) protector and downloader. However, it’s mainly used to spread wordwide different kind of malicious artifacts.

Despite this piece of malware garnered widespread popular attention for having been related to an Italian company by a Check Point research paper, the audience of threat actors currently using it does not seem to have been affected in any way by the news.

What is GuLoader ?

GuLoader is a piece of software very well rooted in the malware business. It is a relatively new service aimed at replacing traditional packers and encryptors and has been widely adopted in the criminal underground.

It basically acts as a dropper (usually retrieving the final payload from an hardcoded URL) and therefore is part of those categories of malware that are able to deliver and spread other ones. However, the company that deals with its development and maintenance has also designed a variant capable of carrying its payload embedded in the sample itself instead of retrieving it from a URL. This is named “DarkEyE Protector“.

Anyway, one of the distinguishing features of the original GuLoader dropper is precisely that it uses URLs to download and execute further malicious components. Most of these URLs used by the malware refer to well-known cloud services like Google Drive and Microsoft OneDrive.

The typical behavioral pattern of infections attributable to GuLoader could be represented by the following graph:

Basically, an initial dropper delivered through malspam campaigns is designed to download an execute further malicious payloads.

How does it technically work ?

Long story short, I have summarized in a simplified graph the behavior of the typical GuLoader implant (please note the icon of paradise for the “Heaven’s Gate” technique :] ) as observed in the months of June and July 2020.

This software is constantly evolving, so some relationship could change from version to version but in principle it should cover a good percentage of the samples in circulation.

This graph is shown below:

How is GuLoader’s health after the media attention ?

It seems quite well! According to the visibility I have, starting from the beginning of July 2020, a total of 505 unique URLs can be linked to the threat in question. Among these we find the use of Google Drive, Microsoft OneDrive, compromised websites and infrastructures built specifically for this by threat actors.

The following graph shows a breakdown statistic in respect to the type of URLs observed in delivering final payloads starting from a GuLoader sample (note: “Others” includes compromised websites and actor controlled infrastructure):

As for the final payloads served by this dropper, below is another graph relating to the five (5) most common malware families observed (always according to the visibility I can personally dispose of):


This software, to date, still helps threat actors with low or no deep technical skills to evade common detection systems and carry out malicious campaigns aimed at collecting credentials, private information and in obtaining unauthorized access and control of the victim environments.