June 11, 2023

Recent spear-phishing emails have been found spreading the Hakbit ransomware using the GuLoader dropper and malicious Microsoft Excel attachments.

What’s happening?

Hakbit ransomware campaign is targeting employees across Germany, Austria, and Switzerland with malicious Excel attachments via GMX, a popular email provider.

Research findings

These emails direct targeted victims to open the attachments on their computer instead of their mobile devices.
The mid-level employees targeted belong to healthcare, pharmaceutical, financial, legal, business service, and retail sectors.
This low-volume campaign uses financial lures, such as “Tax Repayment’ and “Your Bill”.

What should you know about GuLoader?

GuLoader is an emerging security threat and is actively used to deliver malware via cloud services.
The executable is a Visual Basic 6 wrapper that decrypts some shellcode containing the main functionality.
Initially, the dropper was used to download Parallax RAT but recently, it has been applied to other info-stealer and remote access trojans, including Netwire, Tesla, and FormBook.

What should you know about Hakbit?

The ransomware has been operational since 2019 and has taken victims from Europe and the US.
It has also been found to be associated with the Thanos ransomware as Hakbit samples are built using Thanos ransomware builder.
After encrypting the files, the operators demand a ransom.

The takeaway

GuLoader, as a malware dropper, is frequently appearing in the wild and has gained the status of one of the most advanced downloaders. Hakbit is used in targeted ransomware campaigns specifically designed for people from certain organizations, roles, and native languages.

Leave a Reply

%d bloggers like this: