![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/02\/Fig-1Infection-chain.png\")
Figure 1:<\/strong> Infection chain<\/p>\nThe execution process begins with the opening of an SVG file from an email attachment. This action triggers the browser to download a ZIP file. Within this ZIP file is a WSF (Windows Script File), acting as the conduit for the subsequent stage. Upon execution of the WSF, wscript calls the PowerShell command to establish a connection with a malicious domain and execute the hosted content. This content includes shellcode injected into the MSBuild application, facilitating further malicious actions.<\/p>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/02\/Fig-2Process-tree.png\")
<\/p>\n
Figure 2:<\/strong> Process Tree<\/p>\n A recipient receives a spam email that contains malware embedded in archived attachments. The attachment contains a malicious SVG file named “dhgle-Skljdf.svg”<\/p>\n JavaScript that was smuggled inside of the SVG image contained the entire malicious zip archive. When the victim opened the attachment from the email the smuggled JavaScript code inside the SVG image created a malicious zip archive, and then presented the user with a dialog box to decrypt and save the file.<\/p>\n Figure 4:<\/strong> Saving file prompt<\/p>\n The SVG file utilizes a Blob object that contains the embedded zip file in base64 format. Subsequently, the zip file is dropped via the browser when accessed.<\/p>\n Figure 5<\/strong>: SVG file code<\/p>\n Inside the zip file, there is an obfuscated WSF (Windows Script File). The WSF script employs several techniques to make analysis quite difficult.<\/p>\n Figure 6:<\/strong> Obfuscated WSF Script<\/p>\n It invokes PowerShell to establish a connection with a malicious domain, subsequently executing the hosted content retrieved from it.<\/p>\n Encoded PowerShell<\/strong><\/p>\n Figure 7:<\/strong> Encoded PowerShell code<\/p>\n After Decoding<\/strong><\/p>\n Figure 8<\/strong>: Decoded PowerShell code<\/p>\n URL:<\/strong> hxxps:\/\/winderswonders.com\/JK\/Equitably.mix<\/p>\n The URL hosts base64-encoded content, which, after decoding, contains shellcode and a PowerShell script.<\/p>\n Hosted Content<\/strong><\/p>\n Figure 9:<\/strong> Hosted Base64 content<\/p>\n After decoding Base64<\/strong><\/p>\n Figure 10:<\/strong> Decoded Base64 content<\/p>\n The above PowerShell script attempts to load the shellcode into the legitimate MSBuild process using the Process Hollowing technique.<\/p>\n After injection, the shellcode executes anti-analysis check then it modifies the Registry run key to achieve persistence.<\/p>\n HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/p>\n The final stage uses the injected shellcode to download and execute the final malicious executable. GuLoader can also download and deploy a wide range of other malware variants.<\/p>\n <\/p>\n Authored by: Vignesh Dhatchanamoorthy In the ever-evolving landscape of cybersecurity threats, staying ahead of malicious actors requires a deep understanding…<\/p>\n","protected":false},"author":695,"featured_media":178396,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-184363","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nTechnical Analysis<\/h2>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/02\/Fig-3-Spam-email.png\")
Figure 3:<\/strong> Spam Email<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/02\/Fig-4-Saving-file.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/02\/Fig-5-SVG-code.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/02\/Fig-6-WSF-script.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/02\/Fig-7-Encoded-PS.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/02\/Fig-8-Decoded-PS.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/02\/Fig-9-Hosted-Content.png\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/02\/Fig-10-Decoded-content.png\")
<\/p>\nIndicator of Compromise (IOCs)<\/strong><\/h2>\n
\n\n
\n File<\/strong><\/td>\n SHA256\/URL<\/strong><\/td>\n<\/tr>\n \n Email<\/td>\n 66b04a8aaa06695fd718a7d1baa19386922b58e797634d5ac4ff96e79584f5c1<\/td>\n<\/tr>\n \n SVG<\/td>\n b20ea4faca043274bfbb1f52895c02a15cd0c81a333c40de32ed7ddd2b9b60c0<\/td>\n<\/tr>\n \n WSF<\/td>\n 0a196171571adc8eb9edb164b44b7918f83a8425ec3328d9ebbec14d7e9e5d93<\/td>\n<\/tr>\n \n URL<\/td>\n hxxps:\/\/winderswonders[.]com\/JK\/Equitably[.]mix<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"