GUloader Unmasked: Decrypting the Threat of Malicious SVG Files | McAfee Blog

Authored by: Vignesh Dhatchanamoorthy

In the ever-evolving landscape of cybersecurity threats, staying ahead of malicious actors requires a deep understanding of their tactics and tools. Enter GUloader, a potent weapon in the arsenal of cybercriminals worldwide. This sophisticated malware loader has garnered attention for its stealthy techniques and ability to evade detection, posing a significant risk to organizations and individuals.

One of GUloader’s distinguishing features is its utilization of evasion techniques, making it particularly challenging for traditional security measures to detect and mitigate. Through polymorphic code and encryption, GUloader can dynamically alter its structure, effectively masking its presence from antivirus software and intrusion detection systems. This adaptability enables GUloader to persistently infiltrate networks and establish footholds for further malicious activity.

McAfee Labs has observed a recent GUloader campaign being distributed through a malicious SVG file delivered via email.

Scalable Vector Graphics (SVG)

The SVG (Scalable Vector Graphics) file format is a widely used vector image format designed for describing two-dimensional vector and mixed vector/raster graphics in XML. One of the key features of SVG files is their support for interactivity and animation, achieved through JavaScript and CSS.

Modern web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge have built-in support for rendering SVG files. When you open an SVG file in Chrome or Firefox, the browser renders the vector graphics using its built-in SVG rendering engine. This engine interprets the XML-based SVG code and displays the image accordingly on the web page.

Browsers treat SVG files as standard web content and handle them seamlessly within their browsing environments.

Execution Chain

Figure 1: Infection chain

The execution process begins with the opening of an SVG file from an email attachment. This action triggers the browser to download a ZIP file. Within this ZIP file is a WSF (Windows Script File), acting as the conduit for the subsequent stage. Upon execution of the WSF, wscript calls the PowerShell command to establish a connection with a malicious domain and execute the hosted content. This content includes shellcode injected into the MSBuild application, facilitating further malicious actions.

Figure 2: Process Tree

Technical Analysis

A recipient receives a spam email that contains malware embedded in archived attachments. The attachment contains a malicious SVG file named “dhgle-Skljdf.svg”

Figure 3: Spam Email

JavaScript that was smuggled inside of the SVG image contained the entire malicious zip archive. When the victim opened the attachment from the email the smuggled JavaScript code inside the SVG image created a malicious zip archive, and then presented the user with a dialog box to decrypt and save the file.

Figure 4: Saving file prompt

The SVG file utilizes a Blob object that contains the embedded zip file in base64 format. Subsequently, the zip file is dropped via the browser when accessed.

Figure 5: SVG file code

Inside the zip file, there is an obfuscated WSF (Windows Script File). The WSF script employs several techniques to make analysis quite difficult.

Figure 6: Obfuscated WSF Script

It invokes PowerShell to establish a connection with a malicious domain, subsequently executing the hosted content retrieved from it.

Encoded PowerShell

Figure 7: Encoded PowerShell code

After Decoding

Figure 8: Decoded PowerShell code

URL: hxxps://winderswonders.com/JK/Equitably.mix

The URL hosts base64-encoded content, which, after decoding, contains shellcode and a PowerShell script.

Hosted Content

Figure 9: Hosted Base64 content

After decoding Base64

Figure 10: Decoded Base64 content

The above PowerShell script attempts to load the shellcode into the legitimate MSBuild process using the Process Hollowing technique.

After injection, the shellcode executes anti-analysis check then it modifies the Registry run key to achieve persistence.

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

The final stage uses the injected shellcode to download and execute the final malicious executable. GuLoader can also download and deploy a wide range of other malware variants.

Indicator of Compromise (IOCs)