Website Blog Twitter Linkedin ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR # Table of contents Table of contents .................................................................................................................................. 2 Key findings ........................................................................................................................................... 3 Intrinsec’s CTI services ........................................................................................................................ 3 Introduction ............................................................................................................................................ 4 I – Strategical Intelligence ................................................................................................................... 4 1. Intelligence brief ........................................................................................................................ 4 2. Attribution ................................................................................................................................... 5 3. Victimology................................................................................................................................. 5 3.1. Unattributed malicious cluster ............................................................................................. 7 3.2. Another malicious cluster ................................................................................................... 12 II – Tactical Intelligence ...................................................................................................................... 14 1. Tactics, Techniques and Procedures .................................................................................. 14 1.1. NSIS variant of GuLoader.................................................................................................. 14 1.2. Attachment abusing CVE-2017-0199 for GuLoader deployment ................................ 18 2. Code Analysis ......................................................................................................................... 20 2.1. Extracted NSI script ............................................................................................................ 20 2.2. NSIS variant ......................................................................................................................... 21 2.3. VBS variant of GuLoader ................................................................................................... 21 2.4. Shellcode anti analysis ....................................................................................................... 27 3. Infrastructure Analysis ........................................................................................................... 28 3.1. Leveraging Google Drive for final payload delivery ....................................................... 28 Conclusion ........................................................................................................................................... 29 III - Actionable content ....................................................................................................................... 30 1. IoCs ........................................................................................................................................... 30 2. Recommendations .................................................................................................................. 31 3. Sources .................................................................................................................................... 31 © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR # Key findings In this report are presented: - The origin of the malware and information about the company running it. - How multiple companies from the energy sector including, three French companies with branches in Liquified Natural Gas (LNG) production, were targeted using internal emails that were uploaded to public platforms and likely reused by an unidentified threat actor to send phishing emails with their template. - The last techniques, tactics and procedures threats actors are currently leveraging to target critical entities using GuLoader and other malwares. - Some insights on GuLoader’s functionalities and evasion techniques leveraged by its NSIS and VBS variants. # Intrinsec’s CTI services Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face. For this report, shared with our clients in July 2023, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERTIntrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots. Intrinsec also offers various services around Cyber Threat Intelligence: - Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through: `o` an operational feed of IOCs based on our exclusive activities. `o` threat intel notes & reports, TIP-compliant. - Digital risk monitoring: `o` data leak detection & remediation `o` external asset security monitoring (EASM) `o` brand protection For more information, go to www.intrinsec.com/en/cyber-threat-intelligence/. © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR # Introduction Intrinsec’s CTI Team discovered a cluster of activity mainly targeting companies related to the energy sector with spear phishing emails and domains typo squatting of those companies’ domain names and their Liquified Natural Gas branches, but also other generic domains related to the LNG industry like “lng-gaz[.]com”. The purpose of these campaigns was to deploy GuLoader implants and later on, AgentTesla implants. GuLoader is a loader used to evade detection and analysis by leveraging a variety of techniques such as checking for its environment of execution and encrypting the payload it is trying to inject on the infected system. The actor that bought GuLoader must provide to the building program the URL hosting the software that it wants to protect and load on the system. It must be encrypted and can be hosted on legitimate services like Google Drive or any other domain. GuLoader can come in different file formats like VBS scripts or NSIS installers. It is known to drop malware like Lokibot, AzorUlt, Remcos, Nanocore, WarzoneRAT, AgentTesla, FormBook and Hakbit ransomware. # I – Strategical Intelligence ### 1. Intelligence brief _Figure 1: Diamond model of the analysed threats._ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR ### 2. Attribution [As reported by CheckPoint, GuLoader is currently sold under the name “CloudEye Protector” by an](https://research.checkpoint.com/2020/guloader-cloudeye/) Italian company specialized in code protection. The program was first advertised in 2014 on undergrounds forums like Hack-Forum by a user with the username “xor”, in reference to the logical operation of the same name, often used for encryption purposes. On those old threads, Xor mentioned the possibility to buy the program on its official website “securitycode[.]eu”. The company that owns the website is registered in Italy under the name “Easysoft Di Ivano Mancini”. Even though Easysoft indeed commercially distributes CloudEye, the company does not control nor involve itself in the usage made by clients of their software. This plausible deniability gives the company a sort of "immunity" as to any attribution regarding GuLoader powered campaigns. Checkpoint researchers even reported that GuLoader’s developer contacted them right after their publication research echoed in June 2020 with the cybersec community claiming not being aware of any malicious usage of their product. However, further checks by the same researchers of thousands of GuLoader samples showed that [99.9-100% of them were associated with malicious activities. As](https://www.youtube.com/watch?v=8ZnTJyEgVNg) such, GuLoader could be considered as a malware-as-a-service. ### 3. Victimology As far as the victimology related to GuLoader usage is concerned, it appears that a wide range of sectors and companies were targeted. An interesting aspect to observe in the campaigns is the delivery method of GuLoader. One method of tracking the malware usage as well as campaigns was through the research of spear phishing emails. These emails revealed the effort put into appearing legitimate, adapting the name of the payload to pass off as a genuine corporate document or business enquiry as well as the use of legitimate logos and identities. Finally, the use of spoofed email domains was observed rendering those phishing [campaigns particularly hard to detect for average users. This spoofing technique has been observed](https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader?utm_source=blog&utm_medium=blog&utm_campaign=spoofed-saudi-purchase-order-drops-guloader) [by Fortinet](https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader?utm_source=blog&utm_medium=blog&utm_campaign=spoofed-saudi-purchase-order-drops-guloader) in 2022, during a campaign that spoofed Saudi purchase orders around the period of July. Moreover, GuLoader has been observed targeting energy providers, such as a Romanian company operating in this sector on June 21, 2023. This company represented a key target as it is an important provider for electrical infrastructure in Romania. To achieve its objective, the threat actor sent a phishing email and spoofed its headers to make it look like it was sent by a known Romanian airline. © I t i ----- _Figure 2: Phishing e-mail targeting a Romanian company and deploying GuLoader._ © I t i ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR #### 3.1. Unattributed malicious cluster Another delivery method related to the deployment of GuLoader by another malicious cluster is still associated to email spoofing, but this time used in such a way that the attacker poses as a member of the victim company by sending an email with a typo squatted domain where only one letter is changed. Through this method of delivery, we have detected several companies being spoofed such as the South Korean branch of a French company operating in the energy industry. The targeted person was working for the company as a strategical buyer. The email was particularly well crafted since the subject of topic was related to an ongoing project, between the targeted company and another company from the energy sector based in Taiwan, about the installation of a slug catcher (which is a common piece of equipment in this industry) in their infrastructure in Malaysia. We can assess that this email was originally sent by employees of the company but was uploaded to a public platform for unknown reason, resulting in the threat actor taking advantage of this OPSEC error by reusing their email template to send the same one but with a malicious archive attached to it. _Figure 3: Phishing e-mail sent to a French company from the energy sector with a GuLoader implant attached to it._ A Spanish company linked to the oil and gas industry was targeted two days before that by an email sent by the same server and leveraging the same domain typo squatting technique. In this case, the mail contained three legitimate internal documents including one confidential linked to the company, giving more legitimacy to the lure. The GuLoader implant was contained in a CAB archive. The targeted individual works as a purchasing engineer for the company. © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR By pivoting on the legitimate files present in the mail, we found that the same email was uploaded to a public platform one month before this campaign but only with the legitimates documents attached to it and not the malicious CAB archive. We can assess that there is a realistic probability that this threat actor found it and decided to attach its payload and to use the same email template for its phishing campaign in order to increase the quality of the lure. _Figure 4: Phishing Mail sent to a Spanish company operation in the energy sector with a GuLoader implant attached to it._ _Figure 5 : Technique used by the threat actor to target companies with emails uploaded to a public platform._ The same IP that sent those emails targeted a Thai company operating in the heavy industry and engineering design sectors, as well as in the petrochemical sector. The same technique was likely leveraged, since an original and legitimate email related to the company was uploaded on a public © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR platform in December 2022. In June 2023, the threat actor took the template and documents from this email and used them to send it to the company but added its malicious implant to it. Regarding this latter, AgentTesla was contained in a ZIP archive attached to the email. _Figure 6: Phishing Mail sent to a Thai company operating in the energy sector with an archive containing an AgentTesla_ _implant attached to it._ A major German company operating in the energy sector was targeted later, in August, by an email sent by the same IP address that sent the emails from the previously analysed campaigns. The threat actor crafted the headers of the mail to make it look like the sender’s domain of origin was the one of the targeted companies. Looking more in the details of the headers, we found that the actual sender email server had a completely different domain name and used Plesk. As a reminder, Plesk is a server data automation software, which is often used by threat actors to quickly deploy phishing infrastructures. The mail pretended to be sent by the head of the production and was supposed to target the head of external relations. In this campaign, the threat actor chose to directly place an AgentTesla implant in a RAR archive attached to the mail. © I t i ----- _Figure 7: Details on the mail’s content._ During the same day, another mail related to a “Power & Energy Project” subject was sent to a SinoThai company specialized in the construction of refineries and various types of power plants such as gas, thermal, cogeneration, coal, and hydro. An AgentTesla implant was also contained in a RAR archive attached to the mail. _Figure 8: Details on the mail’s content._ On those three previously analysed campaigns, the AgentTesla implants were supposed to exfiltrate the stolen data over SMTP with the following configuration: Protocol SMTP Host cp7nl.hyperhost[.]ua Port 587 Username victorlog@lgtvproducts[.]buzz Upon examining those campaigns targeting energy companies, it is possible to assess with medium confidence, that they were operated by the same threat actor. Some of the elements supporting that assessment are the use of the same IP address for the delivery of infected phishing emails and the © I t i |Protocol|SMTP| |---|---| |Host|cp7nl.hyperhost[.]ua| |Port|587| |Username|victorlog@lgtvproducts[.]buzz| ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR technique leveraged to find legitimate emails related to the targeted company on a public platform, the same exfiltration configuration for the AgentTesla implants as well as the use of Google Drive for the final payload delivery when GuLoader was deployed, and the short period of time between the campaigns. The observed campaigns can be summarized with the following timeline: _Figure 9: Timeline and details of the observed campaigns._ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR #### 3.2. Another malicious cluster In July 2023, another campaign from a different intrusion set that did not show the same artefacts previously found, used a compromised webmail of an ONG in Uzbekistan to target a financial company in Azerbaijan. This time the energy sector was not directly targeted but was instead used as a lure. The mail pretended to be sent by a state-owned oil and natural gas corporation. A ZIP archive containing a GuLoader implant presented as a screen saver was attached to the mail. _Figure 10: Email sent by the intrusion set, targeting an Azerbaijani company, and pretending to be an energy company._ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR Also in July, this intrusion set pretended to be part of an Iranian company specialized in designing, engineering, manufacturing, and supplying chemicals and equipment in petrochemical industries. Two archives were attached to the mail, both containing GuLoader implants presented as screen savers. _Figure 11: Email sent by the intrusion set, pretending to be an Iranian company specialized in petrochemicals._ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR # II – Tactical Intelligence ### 1. Tactics, Techniques and Procedures #### 1.1. NSIS variant of GuLoader In the case of an email targeting a German company, the attachment was an IMG file that automatically mounts a virtual disk on the machine when launched. Inside was the GuLoader NSIS installer. _Figure 12: Email containing the malicious IMG attachment._ When executed, the NSIS, (Nullsoft Scriptable Install System), a program originally used to install software, will create a folder dubbed “Stephens” on “Appdata\Local” in the user’s directory that will contain the shellcode. _Figure 13: Content of the "Stephens" folder._ The content of an NSIS can also be extracted with software like 7zip. It contains a DLL responsible for interpreting specific instructions written in a separate “.nsi” file that can also be extracted with previous versions of 7zip (15.05). The GuLoader shellcode is saved with a random name and extension in the same folder. © I t i ----- _Figure 14: Extracted content of the NSIS installer._ The NSIS then starts the legitimate process “CasPol.exe” and injects the shellcode in its memory before terminating itself. _Figure 15: Process tree after executing the NSIS._ The shellcode can be found in a Read-Write-Execute protected region in the process’s memory. Its content is the same as the content of the shellcode file extracted from the NSIS. _Figure 16: Content of the memory region where the shellcode was injected._ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR The shellcode performs a GET request to retrieve an additional payload that is XOR encrypted and hosted on “00gssa[.]com/zx.bin”. It is possible to find the URL hosting this next stage in the dumped strings of the process. _Figure 17: Strings dumped from the CasPol.exe process displaying the URL hosting the next stage payload._ The format of the URL found in the dumped strings corresponds to the one which must be provided in the CloudEye Protector client for it to download the desired next stage; where the file’s extension seems to always be “.bin”. _Figure 18: Inside the builder, the user must provide the URL hosting the encrypted payload in order for GuLoader to know_ _[where to download it from. Source: https://research.checkpoint.com/2020/guloader-cloudeye/](https://research.checkpoint.com/2020/guloader-cloudeye/)_ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR The full chain of infection for this campaign can be summarized with the diagram below: _Figure 19: A chain of infection using IMG and NSIS installer files to deploy GuLoader._ By analysing those two campaigns, it is possible to observe how the options “self-process loader” and “trusted process loader”, present on the CloudEye Protector builder, are operated by the loader. We believe that the “trusted process” mentioned in the builder is indeed the injected “CasPol.exe” process. This program is natively present on the Windows Operating System, and thus considered “trusted”. _Figure 20: Injection options available when building the loader on the CloudEye Protector client. Source:_ [https://research.checkpoint.com/2020/guloader-cloudeye/](https://research.checkpoint.com/2020/guloader-cloudeye/) © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR #### 1.2. Attachment abusing CVE-2017-0199 for GuLoader deployment We observed another initial access technique consisting of a Word document exploiting CVE-20170199 that was sent in attachment of an email spoofing a Georgian company. _Figure 21: Email spoofing a Georgian company and containing a malicious attachment._ When launched, the document will communicate with a shortened URL hosting a malicious RTF that downloads and drops the GuLoader NSIS installer. _Figure 22: Execution of the document displaying the URL hosting the RTF._ It is possible to observe the GET request sent to the IP hosting the last encrypted payload. Unfortunately, it was not possible to retrieve the payload as the page returned a 404 error. © I t i ----- _Figure 23: GET request trying to retrieve the final payload but returning a 404 not found._ The full chain of infection for this campaign can be summarized with the diagram below: _Figure 24: An infection chain using RTF file and the NSIS variant of GuLoader._ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR ### 2. Code Analysis #### 2.1. Extracted NSI script Using 7z we can extract the NSI script used for installation and then analyze this script. The heavily obfuscated script begins with running every section upon the "instfile” call, then calls the one function we are interested in: .onMouseOverSection. This function is called automatically on binary execution [as stated in the NSIS documentation.](https://nsis.sourceforge.io/Docs/Chapter4.html) _Figure 25: .onMouseOverSection function._ On startup, the _.onMouseOverSection function will copy the shellcode located in the_ _Emneomraadedefinition.Ove file in the $4 variable and call the func_451 function. This function will_ then call the func_12 function which will copy the $4 variable in the $R8 variable, allocate some space into memory and then call the “System::Call” method on the $R8 variable, executing the shellcode. © I t i ----- _Figure 26: Summary of an NSI script used to build the executable._ The System::Call method is inherited from the NSIS System plug-in contained in System.dll library. As stated in the NSIS documentation, this library allows allocation of memory, writing to memory, freeing memory, and calls. #### 2.2. NSIS variant Using _CreateProcessInternalW(), GuLoader’s NSIS variant will start by creating a new process_ “CasPol.exe”, which stands for “Code Access Security Policy Tool”. This process is a legitimate Windows process that enables users and administrators to modify security policy for the machine policy level, the user policy level, and the enterprise policy level. After creating this process, the malware writes the full shellcode in its memory using _NtWriteVirtualMemory()._ The size of the written data corresponds exactly to the delivered file containing the shellcode. After checking its environment for analysis environment behaviour, the shellcode downloads the next payload encrypted with a XOR key. This payload will be decrypted and injected in the same process as the shellcode in a region with ReadWrite-Execute protections. #### 2.3. VBS variant of GuLoader In the context of a campaign spoofing a Bulgarian IT company, an archive containing the VBS variant of GuLoader was sent in the attachment of an email. © I t i ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR _Figure 27: Content of the mail and attachment sent to the Bulgarian company._ The VBS script contains 879 lines with obfuscated PowerShell in its core. Its content was passed in the PowerShell.exe process in the following format: _Figure 28: The full PowerShell script that was passed as a parameter in the PowerShell.exe process._ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR Once deobfuscated, the script will download an additional base64 encoded blob of data in a file hosted on the URL “ac-at[.]net/Tulle.asd” and will save it on the disk under the name “Beruse.Sor”. It then locates a certain portion data at the offset 189548 with a length of 20758 bytes which contains a second PowerShell script. _Figure 29: The deobfuscated content of the PowerShell script._ _Figure 30: Base64 encoded data hosted on the URL found in the PowerShell script._ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR After decoding and extracting the data from the specifically given offset and size, the second PowerShell script was found to be filled with random comments in its code. _Figure 31: Content of the second PowerShell script._ After removing those comments, one could find XOR encrypted data passed through various variables. _Figure 32: Content of the PowerShell script after removing the comments._ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR Once decrypted, a shellcode is executed via function _CallWindowProcA. This function takes as first_ argument a pointer to a callback function. When this pointer is used to call the function, it is called a callback. This behaviour can be abused to run a shellcode by passing a pointer to the shellcode in the first argument. [This article contains other APIs that threat actors can leverage to abuse this](https://osandamalith.com/2021/04/01/executing-shellcode-via-callbacks/) functionality. _Figure 33: Decrypted code found in the second PowerShell script responsible for launching a shellcode._ This shellcode is used to decrypt another shellcode present on the same file “Beruse.Sor” at a different offset. _Figure 34: Location of the shellcode used to decrypt the other shellcode._ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR The overall content of the file retrieved from the URL present on the PowerShell script and saved on the disk under the name ”Beruse.Sor”, can be summarized with the following figure: _Figure 35: Content of the downloaded file “Beruse.Sor”._ The XOR key that will decrypt the encrypted shellcode can be found inside the first shellcode amongst the following set of assembly instructions. In this case, the key is “0x3EAF89BA”. _Figure 36: Assembly instructions responsible for the decryption of the second shellcode._ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR The following python script can be used to decrypt the second shellcode with the previously found key. _Figure 37: Python script that can be used to decrypt the second shellcode with the previously found XOR key._ The full chain of infection for this campaign can be summarized with the diagram below: _Figure 38: A chain of infection using ZIP and PowerShell to deploy GuLoader shellcode._ #### 2.4. Shellcode anti analysis [As mentioned by McAfee, GuLoader employs many techniques to hinder the analysis process of the](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-campaigns-a-deep-dive-analysis-of-a-highly-evasive-shellcode-based-loader/) shellcode: - Employs runtime padding. - Scans whole process memory for analysis tool specific strings. - Uses DJB2 hashing for string checks and dynamic API address resolution. - Strings are decoded at runtime. - Checks if QEMU is installed on the system by checking the installation path: C:\\Program Files\\qqa\\qqa.exe - Patches the following APIs: DbgUIRemoteBreakIn - The function’s prologue is patched with ExitProcess call. - _LdrLoadDll_ © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR - The initial bytes are patched with instruction “mov **edi** **edi.”** - DbgBreakPoint - Patches with “nop” instruction - Clears hooks placed in ntdll.dll by security products or researcher for the analysis. - Window Enumeration via EnumWindows - Hides the shellcode thread from the debugger via ZwSetInformationThread by passing 0x11 (ThreadHideFromDebugger) - Device driver enumeration via EnumDeviceDrivers and GetDeviceDriverBaseNameA - Installed software enumeration via MsiEnumProductsA and MsiGetProductInfoA - System service enumeration via OpenSCManagerA and EnumServiceStatusA - Checks use of debugging ports by passing _ProcessDebugPort_ (0x7) class to _NtQueryInformationProcess_ - Use of CPUID and RDTSC instructions to detect virtual environments. Those checks often result in an error revealing that GuLoader managed to detect the environment and thus prevent the download and decryption of the next stage payload. _Figure 39: Error message returned when GuLoader manages to detect the analysis environment._ ### 3. Infrastructure Analysis #### 3.1. Leveraging Google Drive for final payload delivery The observed campaign targeting companies from the energy sector revealed the use of the legitimate service Google Drive for payload hosting and delivery. Initial spearfishing email with attached GuLoader payload was sent from a Thai IP (147.50.227[.]13). Upon execution of the payload and after injection, the malware would contact **142.250.179[.]78** (Google LLC) to retrieve the final payload from a Google drive instance resolving the following URLs: - hxxps[://]drive[.]google[.]com/uc?export=download&id=1BDYk252qc7_7mHf4QCodtbpjIysH T4Vv - hxxps[://]drive[.]google[.]com/uc?export=download&id=1zXYSS2YpyezHZdQPtXPdNr0uPNor VivP Unfortunately, both of those URLs return a 404-response code at the time of writing this report. This would indicate that the threat actor has deleted the final payload, perhaps with the intent of concealing the goal of the campaigns. © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR # Conclusion Through analysis of both recent and past campaigns using GuLoader, Intrinsec’s CTI team hopes to highlight how stealthy and efficient this loader is. From Easysoft’s CloudEye humble beginnings in underground forums for hackers to its use in targeted campaigns observed in this report testify to the success of this malware. © I t i ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR # III - Actionable content ### 1. IoCs Value Type Description 0c86253017d45f1cf09b474135ab9a603584f4c6d1d8d22b9c SHA-256 NSIS loader bce7be46dfb019 a09ed21fa6609b2868160bd39abf1628a797cc703a0d64a11 SHA-256 emneomraadedefinition.ove 4585d0c8b9c9982 50f7d8503f51e02f52c3f666ad902900b2b90809df612c96e8 SHA-256 Malicious RTF 8cd51466416c0b ec5be7c50c187de9346e381fe229eb22a3383dfd70bbac356 SHA-256 Liljans Slipstrmme.exe 8051af0ee25016c 107.172.148[.]208 IP address Hosting payload 91.234.99[.]51 IP address GuLoader C2 103.131.57[.]119 IP address Hosting payload IP address IP performing malspam 188.86.117[.]83 147.50.227[.]13 IP address IP performing malspam ac-at[.]net Domain Hosting payload rdns.aesite[.]cz Domain GuLoader C2 00gssa[.]com Domain GuLoader C2 00gts[.]ru Domain GuLoader C2 © I t i |Value|Type|Description| |---|---|---| |0c86253017d45f1cf09b474135ab9a603584f4c6d1d8d22b9c bce7be46dfb019|SHA-256|NSIS loader| |a09ed21fa6609b2868160bd39abf1628a797cc703a0d64a11 4585d0c8b9c9982|SHA-256|emneomraadedefinition.ove| |50f7d8503f51e02f52c3f666ad902900b2b90809df612c96e8 8cd51466416c0b|SHA-256|Malicious RTF| |ec5be7c50c187de9346e381fe229eb22a3383dfd70bbac356 8051af0ee25016c|SHA-256|Liljans Slipstrmme.exe| |107.172.148[.]208|IP address|Hosting payload| |91.234.99[.]51|IP address|GuLoader C2| |103.131.57[.]119|IP address|Hosting payload| |188.86.117[.]83|IP address|IP performing malspam| |147.50.227[.]13|IP address|IP performing malspam| |ac-at[.]net|Domain|Hosting payload| |rdns.aesite[.]cz|Domain|GuLoader C2| |00gssa[.]com|Domain|GuLoader C2| |00gts[.]ru|Domain|GuLoader C2| ----- ## Ongoing Threats Targeting the Energy Industry TLP: CLEAR PAP: CLEAR ### 2. Recommendations GuLoader has proved to be a stealthy and highly customizable loader. The campaigns studied in this document reveal that the use of GuLoader, coupled with a smart use of spear phishing techniques, can prove to be very efficient for initial access and further exploitation. To prevent your organization from being infected, Intrinsec’s CTI recommends to: **Network and Emails policy** - Train your staff to always question the legitimacy of an email, especially if it contains attachments. - Block the domains names included in the IoCs section of this report. - Block domains associated with any GuLoader campaigns. - Block emails sent from spoofed or not trusted domains. - Block IP addresses included in the IoCs section of this report. - Block IP addresses associated with any GuLoader campaigns. - Do not upload internal emails on public platforms. **System and endpoint security** - Prevent PowerShell execution by normal users. - Use GuLoader’s detection rules on endpoints. - Train your staff not to activate content on Microsoft Office documents if coming from an untrusted source. ### 3. Sources ➢ [https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye](https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye) ➢ [https://github.com/OALabs/research/blob/master/_notebooks/2022-12-16-](https://github.com/OALabs/research/blob/master/_notebooks/2022-12-16-guloader.ipynb) [guloader.ipynb](https://github.com/OALabs/research/blob/master/_notebooks/2022-12-16-guloader.ipynb) ➢ [https://research.checkpoint.com/2020/guloader-cloudeye/](https://research.checkpoint.com/2020/guloader-cloudeye/) ➢ [https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-](https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/) guloader/ ➢ [https://therecord.media/german-intelligence-warning-lng-terminals-cyberattacks](https://therecord.media/german-intelligence-warning-lng-terminals-cyberattacks) © I t i -----