GuLoader: The NSIS Vantage Point
By Nico Paulo Yturriaga · January 24, 2023
GuLoader is an advanced shellcode downloader infamous for using anti-analysis tricks to evade detection and obstruct reverse engineering. As of this writing, the GuLoader campaign is aggressively ongoing. Trellix’s customers in the e-commerce industry located in South Korea and the United States were heavily targeted by the GuLoader operators. In this blog, we cover the multiple archive types used by threat actors to trick users into opening an email attachment. We also cover the progression of its distribution inside NSIS (Nullsoft Scriptable Install System) executable files by showing the obfuscation and string encryption updates through the year 2022.
Why NSIS Executable Files?
NSIS is an open-source system used to develop Windows installers. Below are some of its notable capabilities.
- Script-based and completely free for any use
- Malicious code and executables can be packaged together with legitimate installers (Figure 1)
- Can directly call Windows APIs, and plugins are already available for loading .NET modules, MSSQL and others (Figure 2)
A compiled NSIS executable can be identified with a hex editor. The .ndata section must exist and the string “Nullsoft Inst” must be located at offset 8 from the overlay (Figure 3). Compiler and packer detectors can also be used to identify NSIS executables such as PEiD and DIE (Detect it Easy).
NSIS Malspam Campaign
In November 2021, before threat actors’ use of NSIS executable files, Trellix acquired the zip file 703254254bf23f72b26f54a936cda496. The zip file contains a Word Document with a macro. The macro drops a shortcut LNK and a VBS script. The VBS script drops a PE file and then the PE file loads the GuLoader shellcode to download a payload (Figure 4).
In 2022, threat actors transitioned to NSIS executable files for loading the GuLoader shellcode. For example, the NSIS executable file is embedded in a zip file and an email lures the user to open a statement of account (Figure 5). In another variant, the NSIS executable is embedded in an ISO image, and it pretends to be a sales inquiry for a quotation of products (Figure 6).
Embedding malicious executable files in archives and images can help threat actors evade detection. Throughout 2022, the variations of archive and images used to embed NSIS executable files we observed in the wild are enumerated in Table 1.
Dropbox Link to Zip Archive
Zip Archive has embedded ISO image
Zip with password
URL to CAB file with embedded CAB file
ISO image with embedded RarSFX
In the first two weeks of December 2022, Trellix detected a minimum of 5,000 events related to GuLoader email attachments. At least 15 Trellix customers in 13 countries were targeted across 10 industries (Figure 7 and Figure 8).
NSIS Obfuscation Progression
As threat actors began to transition to NSIS executable files in February 2022, the NSIS scripts were not obfuscated. The NSIS script loads a .dat file in a straightforward manner and executes the contents of the .dat file as shellcode. In some samples, the NSIS script calls CreateFileA, CreateFileMappingA, MapViewofFile and EnumDisplayMonitors which has a callback function to run the shellcode (Figure 9).
Within a month of February 2022, NSIS scripts were obfuscated. Shortly thereafter, around April 2022, two additional advancements were observed. First, the shellcode filename extension was changed from .dat to a random filename extension. Second, the obfuscated NSIS script introduced an XOR operation to decrypt another stage of NSIS code and garbage code were inserted (Figure 10). The decrypted NSIS code then calls CreateFileA, VirtualAlloc, ReadFile and CallWindowProcW to run the GuLoader shellcode (Figure 11).
In September 2022, Trellix acquired further obfuscated NSIS files. The scripts used one-line commands with powershell.exe or cmd.exe to perform the XOR decoding of the payload. The XOR output is retrieved from the command stdout via ExecToStack and the second stage NSIS code calls CreateFileA, NtAllocateVirtualMemory, ReadFile and CloseHandle (Figure 12).
GuLoader String Encryption
In November 2022, Trellix obtained the NSIS file ff091158eec27558905a598dee86c043. The GuLoader shellcode extracted from this file uses an XOR decryption routine which was consistent in all versions throughout the year. In older samples from February until September 2022, the encrypted strings were located at specific offsets in the GuLoader shellcode. There was no calculation, concatenation of the encrypted strings prior to string decryption. The encrypted data and encrypted data length were simply being copied from a specific location and passed to the decrypt function.
The GuLoader shellcode from ff091158eec27558905a598dee86c043 brought in a new update by concatenating the encrypted data buffer. The encrypted data length and encrypted data are calculated per DWORD at runtime via specific randomized math operations (Figure 13).
Summarizing the Advancements
In summary, the NSIS loader code and GuLoader shellcode was straightforward in February 2022. The NSIS script became more obfuscated towards the end of the year and the most recent change is the computation and concatenation of encrypted data in the GuLoader shellcode (Figure 14). The migration of GuLoader shellcode to NSIS executable files is a notable example to show the creativity and persistence of threat actors to evade detection, prevent sandbox analysis and obstruct reverse engineering.
Appendix: GuLoader Hashes, Payload URLs and Trellix Protection
The payload to be downloaded by GuLoader varies, and potentially it might be AgentTesla, LokiBot, NanoCore RAT, NetWire RAT or a different malware family. The list of GuLoader payload URLs extracted are in Table 2 and the GuLoader NSIS executable files referenced for this blog are in Table 3.
https[:]//staninnovationgroupllc[.]com/MYFORMBOOK_eyHVNu169 [.] bin
http[:]//91[.]245[.]255[.]55/java_agent_sZOCrs225 [.] bin
http[:]//37[.]120[.]222[.]192/texas_TYBnb22 [.] bin
http[:]//linkedindianer[.]com/infoo_UXXITSZ73 [.] bin
http[:]//193[.]239[.]86[.]180/build_CMxTGk211 [.] bin
http[:]//www[.]aortistf[.]tk/MAKS_rOOOVChP166 [.] bin
http[:]//jmariecompany[.]com/kOrg_sIhYtzsF95 [.] bin
http[:]//posadalaprotegida[.]com[.]ar/EbiCBZqpSxRr192 [.] msi
http[:]//146[.]70[.]79[.]13/GPUARDJZecPp13 [.] smi
http[:]//45[.]137[.]117[.]184/hvntfVSKcCQt84 [.] dsp
Trellix Network Security
Trellix Cloud MVX
Trellix File Protect
Trellix Malware Analysis
Trellix Email Security
Trellix Detection As A Service
Suspicious FirstRpidMemOp Shellcode Injection
Suspicious File NSIS Loader
Suspicious Process Powershell from NSIS Activity
Suspicious Process from NSIS Activity
Suspicious File RarSFX drops NSIS Activity
Suspicious HighCpu by NSIS File
Policy File NSIS Delivered thru Emails
Trellix Endpoint Security (HX)
SCHTASK CREATION FROM SUSPICIOUS LOCATION (METHODOLOGY)
GULOADER B (FAMILY)
Trellix Endpoint Security (ENS)
Mar 15, 2023
Trustwave and Trellix Announce Strategic Partnership to Deliver Best-in-Class Managed Detection and Response to Protect Global Organizations
Feb 22, 2023
Trellix Finds LockBit Ransomware Gang Most Apt to Leak Stolen Data
Feb 8, 2023
Trellix Launches Xtend Global Channel Partner Program
Feb 6, 2023
President Biden Names Bryan Palma to National Security Telecommunications Advisory Committee
Jan 17, 2023
Trellix Endpoint Scores 100% Detection with Zero False Positives in Latest SE Labs Endpoint Security Test
The latest from our newsroom
The Bug Report – January 2023 Edition
By Jesse Chick · February 1, 2023
January began with a headache on a Sunday morning and, if you happen to be on the receiving end of this month's remote code excitement, it ended with one, too.
Cyberattacks Targeting Ukraine Increase at End of 2022
By Daksh Kapur, Tomer Shloman, Robert Venal and John Fokker · January 24, 2023
From malicious email and URLs to nation-state backed use of malware, cyberactivity continues to accompany kinetic military activity and social discontent.
Trellix to Lead the XDR Market
By Daniel Ramos · December 19, 2022
Recognition by the analytical firms and peer review programs in all the main XDR front-end components including EDR, NDR, SEG, CWWP, and DLP.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.