May 2023’s Most Wanted Malware: New Version of Guloader Delivers Encrypted Cloud

Our latest Global Threat Index for May 2023 saw researchers report on a new version of shellcode-based downloader GuLoader, which was the fourth most prevalent malware. With fully encrypted payloads and anti-analysis techniques, the latest form can be stored undetected in well-known public cloud services, including Google Drive. Meanwhile, Qbot and Anubis are taking first place on their respective lists, and Education/Research remained the most exploited industry.

GuLoader is one of the most prominent downloader cybercriminals use to evade antivirus detection. With over three years of activity and ongoing development, the latest version employs a technique that replaces code in a legitimate process, enabling it to evade detection by process monitoring security tools. By utilizing a VBScript to download encrypted shellcode from the cloud, victims receive a less suspicious file, reducing the likelihood of triggering alerts. The use of encryption, raw binary format, and separation from the loader renders the payloads invisible to antiviruses, allowing threat actors to bypass antivirus protection and leverage Google Drive for storage. In some instances, these malicious payloads may remain active for extended periods of time.

Last month also saw both Qbot and Anubis taking first place on their respective lists. Despite efforts to slow down malware distribution by blocking macros in Office files, Qbot operators have been quick to adapt their distribution and delivery. It has recently been seen abusing a dynamic link library (DLL) hijacking flaw in the Windows 10 WordPad program to infect computers.

More often than not we are seeing cybercriminals exploiting tools available to the public to store and deliver malware campaigns. We can no longer blindly trust that the services we use will be completely secure, no matter how trustworthy the source may be. That is why we need to be educated on what suspicious activity looks like. Do not disclose personal information or download attachments unless you have verified that the request is legitimate and there is no malicious intent.

CPR also revealed that "Web Servers Malicious URL Directory Traversal" was the most exploited vulnerability, impacting 49% of organizations globally, followed by "Apache Log4j Remote Code Execution" impacting 45% of organizations worldwide. "HTTP Headers Remote Code Execution" was the third most used vulnerability, with a global impact of 44%.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

Qbot was the most prevalent malware last month with an impact of 6% worldwide organizations, followed by Formbook with a global impact of 5% and AgentTesla with a global impact of 3%.

Top Attacked Industries Globally

Last month, Education/Research remained in first place as the most exploited industry globally, followed by Government/Military and Healthcare.

Top exploited vulnerabilities

Last month, "Web Servers Malicious URL Directory Traversal" was the most exploited vulnerability, impacting 49% of organizations globally, followed by "Apache Log4j Remote Code Execution" impacting 45% of organizations worldwide. "HTTP Headers Remote Code Execution" was the third most used vulnerability, with a global impact of 44%.

Top Mobile Malwares

Last month Anubis rose to first place as the most prevalent Mobile malware, followed by AhMyth and Hiddad.

Check Point's Global Threat Impact Index and its ThreatCloud Map is powered by Check Point's ThreatCloud intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the intelligence and research Arm of Check Point Software Technologies.