E-commerce
industries
in
South
Korea
and
the
U.S.
are
at
the
receiving
end
of
an
ongoing
GuLoader
malware
campaign,
cybersecurity
firm
Trellix
disclosed
late
last
month.
The
malspam
activity
is
notable
for
transitioning
away
from
malware-laced
Microsoft
Word
documents
to
NSIS
executable
files
for
loading
the
malware.
Other
countries
targeted
as
part
of
the
campaign
include
Germany,
Saudi
Arabia,
Taiwan
and
Japan.
NSIS,
short
for
Nullsoft
Scriptable
Install
System,
is
a
script-driven
open
source
system
used
to
develop
installers
for
the
Windows
operating
system.
While
attack
chains
in
2021
leveraged
a
ZIP
archive
containing
a
macro-laced
Word
document
to
drop
an
executable
file
tasked
with
loading
GuLoader,
the
new
phishing
wave
employs
NSIS
files
embedded
within
ZIP
or
ISO
images
to
activate
the
infection.
“Embedding
malicious
executable
files
in
archives
and
images
can
help
threat
actors
evade
detection,”
Trellix
researcher
Nico
Paulo
Yturriaga
said.
Over
the
course
of
2022,
the
NSIS
scripts
used
to
deliver
GuLoader
are
said
to
have
grown
in
sophistication,
packing
in
additional
obfuscation
and
encryption
layers
to
conceal
the
shellcode.
The
development
is
also
emblematic
of
a
broader
shift
within
the
threat
landscape,
which
has
witnessed
spikes
in
alternative
malware
distribution
methods
in
response
to
Microsoft’s
blocking
of
macros
in
Office
files
downloaded
from
the
internet.
“The
migration
of
GuLoader
shellcode
to
NSIS
executable
files
is
a
notable
example
to
show
the
creativity
and
persistence
of
threat
actors
to
evade
detection,
prevent
sandbox
analysis
and
obstruct
reverse
engineering,”
Yturriaga
noted.
this
article
interesting?
Follow
us
on
and
to
read
more
exclusive
content
we
post.
About Author
