Threat Signal Report

Guloader Spam Indiscriminately Sent to State Elections Board

description-logo Description

Recently, the United States Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint public service announcement - Foreign Actors Likely to Use Information Manipulation Tactics for 2022 Midterm Elections (9I-100622-PSA). The focus of the PSA was to inform the public of the potential manipulation of the midterm election cycle in the United States by foreign agents using social engineering and social media disinformation tactics to influence voters and to sow discord as well.


Around the same time of the announcement, FortiGuard Labs observed a Guloader campaign being sent to an elections body in the United States. Although there is no sign that they were specifically targeted, we want to highlight what's involved in these attacks given the 2022 U.S. midterm elections in November. The infection vectors are simple malicious spam that do not rely on exploiting a vulnerability or macros.


FortiGuard Labs found a campaign from a purported industrial equipment manufacturer in Indonesia, containing a malicious ISO attachment.


Figure 1. Email used in this spam campaign


ISO email attachments are often used to avoid detection by security solutions. Clicking on the attachment triggers the ISO file. Once mounted, an EXE file-a GuLoader malware variant-becomes visible. The victim then needs to run the "Requisition order-PT. LFC Teknologi,pdf.exe" executable manually to start the infection routine.


Figure 2. GuLoader file in the mounted ISO file


This file is digitally signed via an untrusted root certificate, seen below.


Figure 3. Digital signature information for "Requisition order-PT. LFC Teknologi,pdf.exe".


The GuLoader payload is a so-called first stage malware that has been seen in the wild for the past few years. It is designed to deliver a second stage payload that can be tailored to the attacker's liking. Some reported second stage payloads include Remote Access Trojans (RATs), infostealers, and ransomware.


This particular GuLoader variant reaches out to 195[.]178[.]120[.]184/sMHxAbMCsvl181[.]java, which was no longer available at the time of the investigation. However, we believe the java file to either be a decryption key or a payload download. Another, GuLoader sample (SHA2: 46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e) was submitted to VirusTotal on September 14th. This sample accesses 195[.]178[.]120[.]184/uFLBwGvx55[.]java and available OSINT suggests that the payload is the Azorult infostealer.


Azorult is capable of exfiltrating data such as passwords from browsers, email, and FTP servers, and harvesting files with extensions specified by an attacker. It can also collect machine information such as user and computer name, installed programs, Windows version, and installed programs. Such stolen information can be a precursor to future attacks.


Based on the traits of the GuLoader sample, FortiGuard Labs tracked down additional files involved in the same malicious spam campaign. The attacker mostly used IMG and ISO attachments along with file names in English, German, Spanish, Turkish, and Chinese. Taking a look at VirusTotal, submissions of the attachments are from the US, Czechia, China, Turkey, Germany, UK, Israel, Ireland, and Hungary. The GuLoader variant was also submitted to VirusTotal from the US, Bulgaria, Canada, China, the United Arab Emirates, and Korea.


The email delivered to a board of elections in the United States was sent to a publicly available webmaster address. This indicates that the attacker sent these malicious emails to as many recipients as possible in the hope that someone would manually execute the malware. This is the first step to a potential compromise of machines related to the elections board of this United States state, and will allow the attacker to obtain a foothold to obtain unauthorized data for dissemination or simply various angles of disruption (ransomware, wiping, extortion, etc.) and even worse, perhaps sell access to an adversary for financial gain.


Fortinet Protections

Fortinet customers are already protected from the malware identified in this report through FortiGuard's Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:


The following (AV) signatures detect the malware samples mentioned in this blog

NSIS/Injector.AOW!tr

W32/BHQ!tr

W32/BHQ.YXCIMZ!tr

W32/Qbot.G!tr

JS/Agent.BLOB!tr.dldr

LNK/Agent.RD!tr

JS/Starter.3A1B!tr

BAT/Starter.NIU!tr


The WebFiltering client blocks all network-based URIs.


Fortinet also has multiple solutions designed to help train users to understand and detect phishing threats:


The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.


We also suggest that organizations have their end users undergo our FREE NSE training program: NSE 1 - Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.


IOCs

File IOCs (SHA2)

GuLoader variants distributed in this spam campaign

162970957d591f4652c635a18a7f11bb2f06de08f263f9d467e6fe0c4d6aa00f

21d01928ac971c2a228a2d9e7e188aa4a07783924b84e66af618e3155eb282eb

28712de9f03560d66c60812052b514c6a78d41287a03fb3cfdd066741ebc81dc

46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e

70856a79551c2e921db13eb757834a8bcb4a808ad5414e00ba207f7f132cc69f

71186a72ce8b23242674c50e305fe2a1b98605d434d4af6f4190c9bb696e2388

74c91f5ce079fcfdf8ec9813ec3e37c63a46e0d397b8ec31c89ca6bf17fe9229

857364a9a903444a86b2f8d129c00bb5727beabcee4c1a8103b561ead678956f

9ac2c9bce0561cb760098b252f3096cf1222e35bfdc1d380b1dc654dd81ed641

9e147e27260eafbc680958cd72cf32143a426d245c29b09efdd78746752e6471

9f245c6d31b3e8b7389053d954121927093a592b08bc02f3bac2516e78aa5808

aeca53c38a1bc40b7a53d5fcf7adceda97ac54ac56af1f161763c622c8e70d4f

b531a9e5b9ba3e10ec2ac3428e0a9835b9468943580df0894483ee9a91377294

b990b2e60ff7d5cbb74d1e42c87b08c722cc1db380608b58f2c8d4e51e8a1402

bb374bed2c79ac878b6626a1537f6f7869ab6176fba4e0f5cb16f11a255a285b

cf7188027fdf9e58695083342a2217ab861354ce960b324f4f59cbd350569a6c

d3d3a37db592226da6dcece19a2344e8a942b197001078fbdb518f262287e48f

ddf7d6b4d3b9677c5801cf1a7889c7396cce76752c593417b381e5abaf4bd1a5

e8ba90c9d071f49c4c8761ce1fcdd44f1d672c891a8625a1b2352a047bfd2b42

e929eddc1a4fa72a448d92b73ec8a4d4497bf8b1f937606f69a6ff831a66b45e


Email attachments (IMG and ISO) used to distribute GuLoader in this spam campaign

162970957d591f4652c635a18a7f11bb2f06de08f263f9d467e6fe0c4d6aa00f

21d01928ac971c2a228a2d9e7e188aa4a07783924b84e66af618e3155eb282eb

28712de9f03560d66c60812052b514c6a78d41287a03fb3cfdd066741ebc81dc

46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e

70856a79551c2e921db13eb757834a8bcb4a808ad5414e00ba207f7f132cc69f

71186a72ce8b23242674c50e305fe2a1b98605d434d4af6f4190c9bb696e2388

74c91f5ce079fcfdf8ec9813ec3e37c63a46e0d397b8ec31c89ca6bf17fe9229

857364a9a903444a86b2f8d129c00bb5727beabcee4c1a8103b561ead678956f

9ac2c9bce0561cb760098b252f3096cf1222e35bfdc1d380b1dc654dd81ed641

9e147e27260eafbc680958cd72cf32143a426d245c29b09efdd78746752e6471

9f245c6d31b3e8b7389053d954121927093a592b08bc02f3bac2516e78aa5808

b531a9e5b9ba3e10ec2ac3428e0a9835b9468943580df0894483ee9a91377294

b990b2e60ff7d5cbb74d1e42c87b08c722cc1db380608b58f2c8d4e51e8a1402

bb374bed2c79ac878b6626a1537f6f7869ab6176fba4e0f5cb16f11a255a285b

cf7188027fdf9e58695083342a2217ab861354ce960b324f4f59cbd350569a6c

d3d3a37db592226da6dcece19a2344e8a942b197001078fbdb518f262287e48f

ddf7d6b4d3b9677c5801cf1a7889c7396cce76752c593417b381e5abaf4bd1a5

e8ba90c9d071f49c4c8761ce1fcdd44f1d672c891a8625a1b2352a047bfd2b42

e929eddc1a4fa72a448d92b73ec8a4d4497bf8b1f937606f69a6ff831a66b45e


Network IOCs related to the GuLoader spam campaign

gwinaz[.]pro/PL341/index.php

kngpdrp[.]shop/PL341/index.php

chino[.]shop/PL341/index.php

www.funeralprogramsshop[.]com/e65x/



Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.