E-commerce industries in South Korea and the U.S. are on the receiving finish of an ongoing GuLoader malware marketing campaign, cybersecurity agency Trellix disclosed late final month.
The malspam exercise is notable for transitioning away from malware-laced Microsoft Word paperwork to NSIS executable information for loading the malware. Other nations focused as a part of the marketing campaign embrace Germany, Saudi Arabia, Taiwan and Japan.
NSIS, quick for Nullsoft Scriptable Install System, is a script-driven open supply system used to develop installers for the Windows working system.
While assault chains in 2021 leveraged a ZIP archive containing a macro-laced Word doc to drop an executable file tasked with loading GuLoader, the brand new phishing wave employs NSIS information embedded inside ZIP or ISO pictures to activate the an infection.
“Embedding malicious executable information in archives and pictures can assist menace actors evade detection,” Trellix researcher Nico Paulo Yturriaga mentioned.
Over the course of 2022, the NSIS scripts used to ship GuLoader are mentioned to have grown in sophistication, packing in further obfuscation and encryption layers to hide the shellcode.
The improvement can also be emblematic of a broader shift throughout the menace panorama, which has witnessed spikes in various malware distribution strategies in response to Microsoft’s blocking of macros in Office information downloaded from the web.
“The migration of GuLoader shellcode to NSIS executable information is a notable instance to point out the creativity and persistence of menace actors to evade detection, forestall sandbox evaluation and hinder reverse engineering,” Yturriaga famous.