Spoofed Saudi Purchase Order Drops GuLoader: Part 1

Given the current fluctuations in the energy market and the related rise in prices to consumers, it should be no surprise that threat actors are using lures to exploit the global interest in this issue.

FortiGuard Labs recently discovered an e-mail using this tactic. The message was delivered to a coffee company in Ukraine that was seemingly sent by an oil provider in Saudi Arabia. Purporting to be a purchase order, the partial PDF file image displayed in the body of the email was actually a link to an ISO file hosted in the cloud that contained an executable for GuLoader. Also known as CloudEye and vbdropper, GuLoader dates to at least 2019 and is generally used to deploy other malware variants, such as Agent Tesla, Formbook, and Lokibot.

What makes this case interesting is that the executable in question uses NSIS (Nullsoft Scriptable Install System), a free, script-driven installer authoring tool for Microsoft Windows, to deploy itself.

Part one of this blog will detail our examination of the phishing e-mail and a static analysis of the embedded malware, while part two will provide a dynamic analysis of the malware along with its shellcode file, "rudesbies.Par".

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Potential to deploy additional malware for additional purposes
Severity Level: Medium

The Phishing E-mail

Inviting a recipient to review an invoice or purchase order is a common phishing lure, which this attack path follows as well.