Two episodes in a few days. All eyes on ISWAP. The modus operandi follows that of ISIS in Iraq and Syria.
Technical analysis by the Malware Hunter JAMESWT
New Guloader campaign via purchase orders. The exe in the iso attachment of the email contacts Google and downloads the malware. This is decrypted and starts the infection. The data is exfiltrated via email
Guloader is conveyed in a global campaign, through a false purchase order. The email contains an image file in iso format with an executable inside.
The exe, if opened, downloads the malware from Google and then decrypts it to start the infection.
Guloader has been used in the past by cybercrime to carry different types of information stealers such as Agent Tesla / Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria / Warzone RAT and Parallax RAT.