Threat Insights 0x28: Guloader Malspam
Sucurilabs Threat Insights is a summary of the past week's phishing campaigns and malware threats, delivered to you every Monday.
Review pending messages
- Rating: ★★★★☆
- Date: 2024-09-27
- Objective: Credential harvesting
- Analyst: José Morim
This email disguises itself as a notice from the recipient's email service provider, falsely presenting a "Review pending messages" alert. It claims that certain incoming emails are being held, suggesting that immediate action is required to access them. The message is strategically designed to create urgency, enticing the recipient to click a link or button under the false pretense of resolving the issue and retrieving the pending emails.
Your inbox is going to be shut down
- Rating: ★★☆☆☆
- Date: 2024-09-25
- Objective: Credential harvesting
- Analyst: José Morim
The email falsely claims to be from the recipient's email service provider, urging them to click a link to prevent their mailbox from being shut down by a certain deadline.
However, that link actually takes them to a phishing site intended to harvest their personal information.
Update payment information!
- Rating: ★★☆☆☆
- Date: 2024-09-24
- Objective: Credential harvesting
- Analyst: José Morim
The email seems like a straightforward request to refresh payment details for an Amazon Prime account, but its true purpose is far more sinister. It's crafted to trick the recipient into clicking a link that directs them to a page designed for stealing credentials.
Guloader Malspam
- Rating: ★★★★☆
- Date: 2024-09-25
- Objective: Malware
- Analyst: José Morim
This email masquerades as a payment order, but its intentions are far from innocent. The real purpose is to mislead the recipient into opening the attached file, which contains a harmful executable. If the recipient activates the file, it will silently install Guloader on their system, all while they are under the impression that they are dealing with a valid business request.
The attacker’s primary objective is to manipulate the victim into executing the malicious payload, thereby infecting their system with malware. This allows the attacker to covertly collect sensitive information and credentials, compromising the victim’s security.
Indicators of Compromise
| TYPE | IOC |
|---|---|
| FILE | 783b5b92ea44666e1521eed1d7688f1bdf9044e83ac39258f9905397f52677dd |
| FILE | 376ba06feee16467464fb8a765830c17b65e49f38d07369db1a0eb586fa6ae20 |
| FILE | 187adbae17615b37ae386ebadb4347a41f2a3e994939e832e96f342d91f9d916 |
| FILE | 548928eebb67d6419e329d323637f30d1b1c570a52acc008d339fdab40336c08 |
| FILE | 5fb4c0b14e27e026650eac4da2101b83d70c3a39f8cc008ab5e5c4fcd7837b00 |
| FILE | e4e9cb0519f421b4e7c3ce98cc3593e0f7132d03e77bbf4c9c7ac79f6a0c91ff |
| FILE | 5e945b710d3f774552a57edce050f57a7258d8b1ef5f1114723079b89d10234b |
| FILE | b59c15f1cdcb828e81a8177d96187d90c229369ed512b9aa89cb523e29a0fdcf |
| URL | hxxps[://]mukulbros[.]com/Webmail/webmail[.]php |
| URL | hxxps[://]verification-portall[.]tiiny[.]site |
| URL | hxxps[://]authenticate-domain[.]latosbono[.]workers[.]dev |
| URL | hxxps[://]scureservic-amzisndmsodstetemers[.]line[.]pm/ |
Keep up with threat insights
Threat Insights is a weekly series where we present you with analysis from samples we collect. Follow us on social media for the latest feed and cybersecurity content. Stay informed and stay safe!
Get more insights like this
- Follow us on social media to get a weekly update of our latest content, and don't worry—we won't spam your feed ;)
- Join our private beta and have a sneak peek at how your team will improve their security posture.