GuLoader
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
GuLoader can establish persistence via the Registry under |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
GuLoader can use HTTP to retrieve additional binaries.[1][2] |
| Enterprise | T1106 | 本机API |
GuLoader can use a number of different APIs for discovery and execution.[2] |
|
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
GuLoader has relied upon users clicking on links to malicious documents.[1] |
| .002 | 用户执行: Malicious File |
The GuLoader executable has been retrieved via embedded macros in malicious Word documents.[1] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
GuLoader can delete its executable from the |
| Enterprise | T1102 | 网络服务 |
GuLoader has the ability to download malware from Google Drive.[2] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call |
| .003 | 虚拟化/沙盒规避: Time Based Evasion |
GuLoader has the ability to perform anti-debugging based on time checks, API calls, and CPUID.[2] |
||
| Enterprise | T1105 | 输入工具传输 |
GuLoader can download further malware for execution on the victim's machine.[2] |
|
| Enterprise | T1055 | 进程注入 |
GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process.[2] |
|
| Enterprise | T1566 | .002 | 钓鱼: Spearphishing Link |
GuLoader has been spread in phishing campaigns using malicious web links.[1] |