A malware loader known as GuLoader has been observed targeting the US financial sector using phishing emails with a tax-themed lure.
Security researchers at eSentire shared the findings in an advisory published on Monday.
“GuLoader, also known as CloudEyE, is a loader malware that is known to deliver additional malware, such as infostealers and Remote Access Trojans (RATs),” wrote eSentire’s Threat Response Unit (TRU).
“The loader contains multiple stages of shellcode and is known for being one of the most advanced loaders with numerous anti-analysis techniques.”
The campaigns targeting US financial firms were observed by the TRU in March 2022.
“The phishing email contained a shared link to Adobe Acrobat, where the user could download the password-protected ZIP archive,” reads the advisory.
The ZIP archive, in turn, contains a decoy image and a shortcut file disguised as a PDF. The latter relies on PowerShell to download additional payloads from the website.
“GuLoader achieves persistence via Registry Run Keys,” eSentire wrote. “The ‘State’ registry key contains the obfuscated PowerShell script that reflectively loads the GuLoader shellcode in memory.”
According to the team, the malware loader is indicative of the fact that tax-themed phishing lures are a popular tactic used by cybercriminals during tax season.
“These lures typically take the form of fake emails that appear to be from legitimate tax authorities, such as the IRS, and often contain urgent messages about tax refunds or payments,” reads the advisory.
“Once the malware is installed, attackers can access the victim's system and data, allowing them to conduct further attacks.”
Read more on scams like this here: IRS Phishing Emails Used to Distribute Emotet
Further, eSentire explained that password-protected ZIP archives are often an efficient way to bypass email filters and antivirus programs.
“By compressing a file into a password-protected archive, the file becomes more difficult for antiviruses and email filters to scan and analyze since they cannot scan the contents of the archive without the correct password.”
Another malware campaign relying on ZIP archives was recently attributed to threat actors who used them to deploy the MortalKombat ransomware.