Hackbit Ransomware Attack Uses GuLoader, Malicious Microsoft Excel Attachments

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
The spear-phishing based campaign is low volume and so far targeted the pharmaceutical, legal, financial, business service, retail, and healthcare sectors. Low-volume style campaigns, sometimes called snowshoe spam attacks, use multiple domains to send relatively small blasts of bogus emails to circumvent reputation- or volume-based spam filtering.

“The largest volume of messages we observed were sent to the information technology, manufacturing, insurance, and technology verticals,” wrote Proofpoint researchers in a Monday analysis.

They observed, “the majority of roles targeted in the Hakbit campaigns are customer-facing with individuals’ business contact information revealed publicly on company websites, and/or advertisements. These roles include attorneys, client advisors, directors, insurance advisors, managing directors and project managers.”

The initial spear-phishing emails uses financial lures, with subject lines like “Fwd: Steuerrückzahlung” (Translated: Tax Repayment)” and “Ihre Rechnung (Translated: Your Bill).” The emails are delivered from a free email provider (GMX) that primarily serves a European client base.

The attachments on the emails purport to be false billing and tax repayment subjects. One email impersonated 1&1, a German telecommunications and web hosting company, and told the victim that the attachment on the email is an invoice, for instance.

Once opened, the Microsoft Excel attachments then prompts victims to enable macros. That in turn downloads and executes GuLoader. GuLoader is a widespread dropper that compromises targets and delivers second-stage malware. It’s been constantly updated over the course of 2020, with new binaries sporting sandbox evasion techniques, code randomization features, command-and-control (C2) URL encryption and additional payload encryption.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top