A spear-phishing campaign targeting various industries is utilizing malicious Microsoft Excel attachments to infect users with the “GuLoader” backdoor trojan. The threat actors then proceed to use GuLoader to download “Hakbit” ransomware onto the infected device. Recommendations to avoid an attack are included below.
Technical detail and additional information
What is the threat?
“GuLoader” is a malicious network dropper that leverages cloud technologies to deliver second-stage malware. GuLoader has been utilized in numerous malware campaigns throughout 2020, the latest being this phishing campaign spreading Hakbit Ransomware. In this campaign, the Excel document attached to the spear-phishing email contains malicious macros that allow GuLoader to be downloaded without the user’s knowledge or consent.
“Ransomware” is a malware variant that enables cyber criminals to extort user’s personal data and information for financial gain. The consequences of a ransomware infection can be debilitating for an organization both financially and socially due to the intensive process needed to remediate it. “Hakbit” has been identified as a variant of the “Thanos” Ransomware-as-a-Service (RaaS). RaaS solutions are incredibly dangerous as they allow the initial attackers to sell or rent the service to other malicious actors who have an intent to launch an attack on the infected network.
What is the exposure or risk?
So far, the spear-phishing campaign has targeted mid-level employees in Austria, Switzerland, and Germany. The mail is typically delivered through the free email provider GMX, which primarily serves European traffic. This campaign is believed to be “low volume” however GuLoader and Hakbit Ransomware infections have continued to grow in abundance throughout 2020.
What are the recommendations?
- Deploy strong endpoint protection to stop malware pre-execution, like SKOUT Endpoint Protection
- Deploy strong email protection to combat against phishing attacks, like SKOUT Email Protection
- Avoid interacting with emails from unknown sources
- Frequently back up device files. In the case of a ransomware infection, it is imperative to have clean backups available.
If you have any questions, please contact our Security Operations Center.