Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community. We also occasionally share breaking and time-sensitive findings throughout the month, such as the insight below.
Financially themed phishing campaigns are seen year-round, with the frequency of tax and accounting themes increasing before and during tax season every year. This is the case for enterprises across all industries, not just the financial sector. At Red Canary, we’ve recently observed adversaries taking advantage of tax season to lure victims into interacting with malicious phishing emails, notably those distributing GuLoader.
Groups distributing GuLoader have used financially themed phishing schemes for some time, but those themes are more likely to be effective this time of year. The malicious attachments we’ve observed include references to new orders for accounting services, IRS documentation, or client tax files.
What is GuLoader, and what does it do?
GuLoader is a malicious downloader that adversaries use to distribute shellcode and deliver follow-on payloads like Remcos. Recent GuLoader infections have started with a phishing email containing a malicious attachment, often a .zip file that is sometimes password-protected. Inside the attachment are additional files, including a .lnk file that leverages wscript.exe to execute a Visual Basic (VBS) script that eventually loads and executes malicious PowerShell commands to download staged payloads. The .lnk file also includes an innocuous .pdf file that launches in parallel with the malicious activity, presumably to make the user think they simply downloaded a benign PDF from an errant email.
Red Canary saw Remcos delivered as the payload in some recent GuLoader infections. Remcos is a remote access tool that adversaries use to gain persistent remote access to a victim’s endpoint. After Remcos is successfully installed, adversaries can choose from a number of options, including surveilling the victim system, downloading additional malware, and sending host data back to a command and control (C2) server. Key indicators of successful Remcos installation include suspicious registry changes for persistence and malicious processes making outbound network connections to C2 IP addresses.
What’s the risk and how should we respond?
The best way to respond to the recent financially themed phishing messages is the same as the response to any other phishing campaign. While user awareness should always be part of a security program, in particular, organizations may find it useful to make users aware of the specific risk of malware delivery via fake tax and financial documents. Users should be wary of unexpected tax-related emails with attachments, especially those purporting to be from the IRS. The IRS does not initiate contact with individuals or enterprises regarding tax issues via email, text message, or social media.
If a user opens the phishing attachment, one way to mitigate malicious scripts is to create a Group Policy Object (GPO) to change the default behavior of commonly misused script extensions, making them behave like benign text files that open in Notepad and do not automatically execute. We’ve seen GuLoader use .vbs in particular.
This strategy works to mitigate many threats beyond just GuLoader. Many malware families use scripts as part of their intrusions. Additional script types to include in your GPO could be .vba, .js, .hta, .bat, as well as any others you choose based on your environment, user activity, and threats to your enterprise.
Below are the steps to change the behavior of .vbs in the Group Policy Management Console to mitigate GuLoader script execution:
Switch to the GPO editing mode. In the GPO editor, go to the section: User Configuration -> Preferences -> Control Panel Settings -> Folder Options
Create a new parameter: New -> Open With
Fill out the fields as follows:
File Extension: .vbs or your file type of choice
Associated Program: %windir%\system32\notepad.exe or whichever text application is appropriate
Set as default: check the option
The finished product should look similar to the image below. Note that the image includes many script extensions that would each need their own GPO parameter creation as outlined in the steps here.
It is essential to test and roll out these GPO changes slowly so as to not impact production.
The following detection analytic should will identify a script—wscript.exe in this case—launching PowerShell to download and executing a payload.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.