GuLoader Drops NanoCore

1.0Infoblox Bloghttps://www.infoblox.com/blogInfoblox Threat Intelhttps://www.infoblox.com/blog/author/infoblox-threat-intel/GuLoader Drops NanoCorerich600338<blockquote class="wp-embedded-content" data-secret="z7jkZ0K56d"><a href="https://www.infoblox.com/blog/threat-intelligence/guloader-drops-nanocore/">GuLoader Drops NanoCore</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://www.infoblox.com/blog/threat-intelligence/guloader-drops-nanocore/embed/#?secret=z7jkZ0K56d" width="600" height="338" title="“GuLoader Drops NanoCore” — Infoblox Blog" data-secret="z7jkZ0K56d" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script type="text/javascript"> /* <![CDATA[ */ /*! This file is auto-generated */ !function(d,l){"use strict";l.querySelector&&d.addEventListener&&"undefined"!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),o=l.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),c=new RegExp("^https?:$","i"),i=0;i<o.length;i++)o[i].style.display="none";for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute("style"),"height"===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):"link"===t.message&&(r=new URL(s.getAttribute("src")),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener("message",d.wp.receiveEmbedMessage,!1),l.addEventListener("DOMContentLoaded",function(){for(var e,t,s=l.querySelectorAll("iframe.wp-embedded-content"),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute("data-secret"))||(t=Math.random().toString(36).substring(2,12),e.src+="#?secret="+t,e.setAttribute("data-secret",t)),e.contentWindow.postMessage({message:"ready",secret:t},"*")},!1)))}(window,document); //# sourceURL=https://www.infoblox.com/blog/wp-includes/js/wp-embed.min.js /* ]]> */ </script> https://www.infoblox.com/blog/wp-content/uploads/top-10-dns-attacks.jpg660454From 8 to 10 June, we observed a malicious spam (malspam) email campaign distributing the malware downloader GuLoader, which dropped the NanoCore remote access trojan (RAT). While this specific campaign used GuLoader to deliver NanoCore, other campaigns have used this downloader to drop information stealers such as LokiBot,1 Raccoon, Formbook,2 and other malware.