Electronic Commerce Industry with the GuLoader Malware, Which Utilizes Dangerous NSIS Executables

Published at : 08 Feb 2023 12:50 PM (IST)

According to information revealed by a cybersecurity company called Trellix before the end of the previous month, continuous GuLoader malware campaigns have targeted the e-commerce sectors in both South Korea and the United States.

It is noteworthy that the malspam activity has shifted from using virus-infected Microsoft Word documents to using NSIS executable files as the vector for spreading malware. Germany, Saudi Arabia, Taiwan, and Japan are among the other nations that will be targeted as part of the campaign.

Nullsoft Scriptable Install System, more often known by its acronym NSIS, is a script-driven open source tool that is used in the process of developing installers for the Windows operating system.

In 2021, attack chains made use of a ZIP archive that contained a Word document with embedded macros to drop an executable file that was tasked with loading GuLoader. In contrast, the most recent phishing wave makes use of NSIS files that are embedded within ZIP or ISO images to activate the infection.

According to a statement made by a researcher at Trellix named Nico Paulo Yturriaga, “Embedding malicious executable files in archives and photos might assist threat actors elude detection.”

It is speculated that throughout the course of 2022, the NSIS scripts that were used in the distribution of GuLoader became more sophisticated, including further obfuscation and encryption layers in order to disguise the shellcode.

This new development is also symbolic of a larger shift that has taken place within the threat landscape. This shift has seen an increase in the use of alternative methods for the distribution of malware as a direct result of Microsoft’s decision to disable macros in Office files that are downloaded from the internet.

According to Yturriaga’s observation, “the movement of GuLoader shellcode to NSIS executable files is a remarkable example that shows the inventiveness and tenacity of threat actors to elude detection, hinder sandbox analysis, and block reverse engineering.”