GuLoader Drops NanoCore

Author: Nicholas Sundvall
TLP: WHITE

From 8 to 10 June, we observed a malicious spam (malspam) email campaign distributing the malware downloader GuLoader, which dropped the NanoCore remote access trojan (RAT). While this specific campaign used GuLoader to deliver NanoCore, other campaigns have used this downloader to drop information stealers such as LokiBot,¹ Raccoon, Formbook,² and other malware.

GuLoader is a malware downloader that was first observed in December 2019.³ It has become an increasingly popular tool for threat actors looking to distribute different RATs and information stealers.

NanoCore is a popular RAT that can log keystrokes, view the user’s desktop, access devices such as microphones and web cameras, as well as steal usernames, passwords, files, emails, and other data from the victim. Threat actors have been using NanoCore for several years, but have more recently begun using GuLoader as a precursor to gain access to victim computers.

In this campaign, the threat actor sent emails with the subject “Re: RE : INVOICE SLIP” and a message body asking the recipient to look at an attached invoice. Every email we observed had one of three different attached files, all of which were Rich Text Format (RTF) files attempting to masquerade as Microsoft Word files with .doc extensions.

Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.

 

Endnotes

1. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–62
2. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–24
3. https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services