Authored by: Vignesh Dhatchanamoorthy
In the ever-evolving landscape of cybersecurity threats, staying ahead of malicious actors requires a deep understanding of their tactics and tools. Enter GUloader, a potent weapon in the arsenal of cybercriminals worldwide. This sophisticated malware loader has garnered attention for its stealthy techniques and ability to evade detection, posing a significant risk to organizations and individuals.
One of GUloader’s distinguishing features is its utilization of evasion techniques, making it particularly challenging for traditional security measures to detect and mitigate. Through polymorphic code and encryption, GUloader can dynamically alter its structure, effectively masking its presence from antivirus software and intrusion detection systems. This adaptability enables GUloader to persistently infiltrate networks and establish footholds for further malicious activity.
McAfee Labs has observed a recent GUloader campaign being distributed through a malicious SVG file delivered via email.
Scalable Vector Graphics (SVG)
The SVG (Scalable Vector Graphics) file format is a widely used vector image format designed for describing two-dimensional vector and mixed vector/raster graphics in XML. One of the key features of SVG files is their support for interactivity and animation, achieved through JavaScript and CSS.
Modern web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge have built-in support for rendering SVG files. When you open an SVG file in Chrome or Firefox, the browser renders the vector graphics using its built-in SVG rendering engine. This engine interprets the XML-based SVG code and displays the image accordingly on the web page.
Browsers treat SVG files as standard web content and handle them seamlessly within their browsing environments.
Execution Chain
Figure 1: Infection chain
The execution process begins with the opening of an SVG file from an email attachment. This action triggers the browser to download a ZIP file. Within this ZIP file is a WSF (Windows Script File), acting as the conduit for the subsequent stage. Upon execution of the WSF, wscript calls the PowerShell command to establish a connection with a malicious domain and execute the hosted content. This content includes shellcode injected into the MSBuild application, facilitating further malicious actions.

Figure 2: Process Tree
Technical Analysis
A recipient receives a spam email that contains malware embedded in archived attachments. The attachment contains a malicious SVG file named “dhgle-Skljdf.svg”
Figure 3: Spam Email
JavaScript that was smuggled inside of the SVG image contained the entire malicious zip archive. When the victim opened the attachment from the email the smuggled JavaScript code inside the SVG image created a malicious zip archive, and then presented the user with a dialog box to decrypt and save the file.

Figure 4: Saving file prompt
The SVG file utilizes a Blob object that contains the embedded zip file in base64 format. Subsequently, the zip file is dropped via the browser when accessed.

Figure 5: SVG file code
Inside the zip file, there is an obfuscated WSF (Windows Script File). The WSF script employs several techniques to make analysis quite difficult.

Figure 6: Obfuscated WSF Script
It invokes PowerShell to establish a connection with a malicious domain, subsequently executing the hosted content retrieved from it.
Encoded PowerShell

Figure 7: Encoded PowerShell code
After Decoding

Figure 8: Decoded PowerShell code
URL: hxxps://winderswonders.com/JK/Equitably.mix
The URL hosts base64-encoded content, which, after decoding, contains shellcode and a PowerShell script.
Hosted Content

Figure 9: Hosted Base64 content
After decoding Base64

Figure 10: Decoded Base64 content
The above PowerShell script attempts to load the shellcode into the legitimate MSBuild process using the Process Hollowing technique.
After injection, the shellcode executes anti-analysis check then it modifies the Registry run key to achieve persistence.
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
The final stage uses the injected shellcode to download and execute the final malicious executable. GuLoader can also download and deploy a wide range of other malware variants.
 
Indicator of Compromise (IOCs)

File
SHA256/URL

Email
66b04a8aaa06695fd718a7d1baa19386922b58e797634d5ac4ff96e79584f5c1

SVG
b20ea4faca043274bfbb1f52895c02a15cd0c81a333c40de32ed7ddd2b9b60c0

WSF
0a196171571adc8eb9edb164b44b7918f83a8425ec3328d9ebbec14d7e9e5d93

URL
hxxps://winderswonders[.]com/JK/Equitably[.]mix

The post GUloader Unmasked: Decrypting the Threat of Malicious SVG Files appeared first on McAfee Blog.