{"id":6960,"date":"2021-09-07T15:30:44","date_gmt":"2021-09-07T22:30:44","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6960"},"modified":"2024-08-07T12:19:16","modified_gmt":"2024-08-07T19:19:16","slug":"guloader-delivers-remcos-rat","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/guloader-delivers-remcos-rat\/","title":{"rendered":"GuLoader Delivers Remcos RAT"},"content":{"rendered":"

Author: Christopher Kim<\/strong><\/h3>\n

 <\/p>\n

1. Overview<\/h3>\n

On 1 and 2 September, Infoblox observed a malicious email campaign distributing the trojan downloader GuLoader. The malware downloaded and executed the remote access trojan (RAT) Remcos. Although this campaign used GuLoader to deliver Remcos, other campaigns have used GuLoader to drop other kinds of RATs, such as NanoCore.1<\/sup><\/p>\n

2. Customer impact<\/h3>\n

Security researchers first discovered GuLoader in December 2019. The malware, written in Visual Basic 6.0, is primarily used to download RATs and information stealers.2<\/sup><\/p>\n

As a typical RAT, Remcos can steal information by capturing keystrokes, taking screenshots, checking browser cache and settings, and searching for files that contain passwords.3<\/sup><\/p>\n

3. Campaign analysis<\/h3>\n

All emails had the From name Lulama Mbanjwa, and email subject CV\/Accountant. Embedded in the emails was a malicious Office Open XML spreadsheet, Retha F. Fourie CV.xlsx, which posed as a purchase-order form and was written in Chinese.<\/p>\n

4. Attack chain<\/h3>\n

When the victim downloads the email attachment and opens the file, the malware exploits CVE-2017-11882; this stack-based buffer overflow vulnerability in Microsoft Office Equation Editor (EQNEDT32.EXE) allows threat actors to remotely execute code on a vulnerable system. If the exploit succeeds, EQNEDT32.EXE downloads and executes the GuLoader payload XNJ.exe.<\/p>\n

GuLoader then attempts to evade debugging and malware analysis by detecting sandboxes and dynamic analysis tools, hiding threads from debuggers, and using other techniques; if successful, it downloads the Remcos payload and executes it.<\/p>\n

Remcos connects to its command and control (C&C) server every five minutes, giving the actors persistent access to the infected machine and the ability to steal system information.<\/p>\n

\"\"<\/h3>\n

5. Vulnerabilities and mitigation<\/h3>\n

A GuLoader infection can compromise an organization\u2019s data integrity and cause financial losses. We recommend that organizations take the following actions to strengthen their cyber defenses against the kinds of attacks described in this report:<\/p>\n