<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=482903392141767&amp;ev=PageView&amp;noscript=1">

New GuLoader campaign in Italy

A new campaign has been discovered targeting organizations in Italy, and spreading the GuLoader malware via a fake RFQ (Request For Quotation). For those of you who don’t remember it, GuLoader is a malware downloader that stores its encrypted payload on cloud services like Google Drive or Microsoft OneDrive. It was first observed in late December 2019, and it’s very popular among threat actors because it is extremely flexible and can be used to distribute multiple malicious payloads, including: Agent TeslaFormBookNanoCoreNetwireRemcosAve Maria.

In this specific campaign, everything starts with an email containing an RFQ document. In reality the attachment is an archive containing the GuLoader executable that, once executed, will download the malicious payload from a Google Drive URL (the URL is visible at this link).

Threat Mitigation

At the time of writing, this campaign was just hours old, however the malicious Google Drive URL was already in our threat intelligence. I tried to access it, and this is the result

And what follows is a snapshot of the “Alert Details” window.

If ever the URL of a new threat is not yet in our threat intelligence, we have got you covered anyway because we can inspect cloud and web traffic with our multi-layer threat protection engine. In this specific case I tried to download the malware samples (both the .gz and the exe), and they are detected by our AV engine as “engine as “Trojan.GenericKD.45528738”.

New year… Old cloud-native threats.

Stay Safe!

Paolo

Cloud Security Netskope

Subscribe to our blog updates

Post a comment below: