A new campaign has been discovered targeting organizations in Italy, and spreading the GuLoader malware via a fake RFQ (Request For Quotation). For those of you who don’t remember it, GuLoader is a malware downloader that stores its encrypted payload on cloud services like Google Drive or Microsoft OneDrive. It was first observed in late December 2019, and it’s very popular among threat actors because it is extremely flexible and can be used to distribute multiple malicious payloads, including: Agent Tesla, FormBook, NanoCore, Netwire, Remcos, Ave Maria.
In this specific campaign, everything starts with an email containing an RFQ document. In reality the attachment is an archive containing the GuLoader executable that, once executed, will download the malicious payload from a Google Drive URL (the URL is visible at this link).
At the time of writing, this campaign was just hours old, however the malicious Google Drive URL was already in our threat intelligence. I tried to access it, and this is the result
And what follows is a snapshot of the “Alert Details” window.
If ever the URL of a newthreatis not yet in ourthreatintelligence, we have got you covered anyway because we can inspectcloudand web traffic with our multi-layerthreatprotection engine. In this specific case I tried to download the malware samples (both the .gz and the exe), and they are detected by our AV engine as “engine as “Trojan.GenericKD.45528738”.