GuLoader
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
GuLoader can use HTTP to retrieve additional binaries.[1][2] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
GuLoader can establish persistence via the Registry under |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
GuLoader can delete its executable from the |
| Enterprise | T1105 | Ingress Tool Transfer |
GuLoader can download further malware for execution on the victim's machine.[2] |
|
| Enterprise | T1106 | Native API |
GuLoader can use a number of different APIs for discovery and execution.[2] |
|
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
GuLoader has been spread in phishing campaigns using malicious web links.[1] |
| Enterprise | T1055 | Process Injection |
GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process.[2] |
|
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
GuLoader has relied upon users clicking on links to malicious documents.[1] |
| .002 | User Execution: Malicious File |
The GuLoader executable has been retrieved via embedded macros in malicious Word documents.[1] |
||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call |
| .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
GuLoader has the ability to perform anti-debugging based on time checks, API calls, and CPUID.[2] |
||
| Enterprise | T1102 | Web Service |
GuLoader has the ability to download malware from Google Drive.[2] |
|