S0561 GuLoader
GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including NETWIRE, Agent Tesla, NanoCore, FormBook, and Parallax RAT.12
| Item | Value |
|---|---|
| ID | S0561 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 11 January 2021 |
| Last Modified | 15 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | GuLoader can use HTTP to retrieve additional binaries.12 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | GuLoader can establish persistence via the Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | GuLoader can delete its executable from the AppData\Local\Temp directory on the compromised host.1 |
| enterprise | T1105 | Ingress Tool Transfer | GuLoader can download further malware for execution on the victim’s machine.2 |
| enterprise | T1106 | Native API | GuLoader can use a number of different APIs for discovery and execution.2 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | GuLoader has been spread in phishing campaigns using malicious web links.1 |
| enterprise | T1055 | Process Injection | GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process.2 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | GuLoader has relied upon users clicking on links to malicious documents.1 |
| enterprise | T1204.002 | Malicious File | The GuLoader executable has been retrieved via embedded macros in malicious Word documents.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call EnumWindows, and checking for Qemu guest agent.2 |
| enterprise | T1497.003 | Time Based Evasion | GuLoader has the ability to perform anti-debugging based on time checks, API calls, and CPUID.2 |
| enterprise | T1102 | Web Service | GuLoader has the ability to download malware from Google Drive.2 |