GuLoader: Malspam Campaign Installing NetWire RAT


Category: Unit 42

Tags: , , ,

This post is also available in: 日本語 (Japanese)

Executive Summary

NetWire is a publicly-available RAT that has been used by criminal organizations and other malicious groups since 2012. NetWire is distributed through various campaigns, and we usually see it sent through malicious spam (malspam). GuLoader is a file downloader that was first discovered in December 2019, and it has been used to distribute a wide variety of remote administration tool (RAT) malware.

This blog reviews a recent distribution chain in March 2020 using Microsoft Word documents to distribute NetWire through GuLoader. We review the infection chain of events, examine the associated network traffic, and cover post-infection artifacts from an infected Windows host. This material is primarily helpful to Security Operations Center (SOC) personnel like front-line analysts and people who perform forensic investigations.

This blog covers the following areas:

    • Chain of events
    • Email lures
    • Malicious Word documents
    • The initial binary
    • Infection traffic
    • Forensics on an infected Windows host

Chain of Events

This chain of events kicks off with an email. The email contains a web link for a Microsoft Word document. The Word document has macro code that retrieves a Windows executable for GuLoader. The executable retrieves an encrypted data file used for NetWire. Then we see command and control (C2) traffic for NetWire RAT activity. See Figure 1 for a flow chart of this infection chain.

Figure 1. Chain of events for this NetWire RAT infection.

Email Lures

Malspam distributing NetWire typically uses attachments or links for the malware. Figure 2 shows one such example from August 2019 with both an attachment and a link for the same Word document to kick off a NetWire RAT infection.

Figure 2. Malspam from August 2019 with both a link and an attachment for a Word document to kick off a NetWire RAT infection.

GuLoader is now widely used for RAT distribution in 2020 and we continue to see the same type of email lures for malspam pushing NetWIre RAT.

Malicious Word Documents

For an infection chain from March 2020, we clicked on an email link discovered through AutoFocus to retrieve a malicious Word document as shown in Figure 3.

Figure 3. Downloading a malicious Word document from the link in the malspam

Our research led us to two links that generated similar infection chains:

  • hxxp://www.artizaa[.]com/Andys_18US_Tax.doc
  • hxxp://murthydigitals[.]com/PM_2019_Screen_18_Tax_File.doc

Both links returned Word documents for the same type of NetWire RAT activity. Each document used a different template. Compare Figure 4 with Figure 5 to see the difference in each document.

Figure 4. Document from one of the links to start NetWire RAT infection
Figure 5. Document from another one of the links to start a NetWire RAT infection

The Initial Binary

Enabling macros for each of these Word documents generated an infection on a vulnerable Windows host. Each vulnerable host retrieved an initial binary for GuLoader and ran it from the infected users’ AppData\Local\Temp directory. Figure 7 and Figure 8 show examples from each Word document.

Figure 7. Binary for GuLoader after enabling macros on Andys_18US_Tax.doc


Figure 8. Binary for GuLoader after enabling macros on PM_2019_Screen_18_Tax_File.doc

Infection Traffic

Pcaps of the infection traffic revealed the following:

    • HTTP request that returned a malicious Word document
    • HTTP request that returned a malicious Windows executable file (GuLoader)
    • HTTP request that returned an encoded binary
    • TCP traffic for NetWire RAT

See Figure 9 and Figure 10 for images of the traffic filtered in Wireshark.

Figure 9. NetWire RAT infection traffic associated with PM_2019_Screen_18_Tax_File.doc and GuLoader filtered in Wireshark
Figure 10. NetWire RAT infection traffic associated with Andys_18US_Tax.doc and GuLoader filtered in Wireshark

This March 2020 infection traffic follows the same concept for GuLoader to RAT activity discussed in a previous analysis of GuLoader.

Forensics on an Infected Windows Host

A copy of the initial EXE for GuLoader is made persistent, then the original is deleted from the infected user’s AppData\Local\Temp directory where it was originally saved. The GuLoader EXE is persistent through the Windows Registry under the following key:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Two examples of this Registry update are shown in Figure 11 and Figure 12.

Figure 11. First example of GuLoader persistent through the Windows Registry.
Figure 12. Second example of GuLoader persistent through the Windows Registry

Because this is ultimately a NetWire RAT infection, we can also find a registry update at HKCU\Software\NetWire like the example shown in Figure 13.

Figure 13. Windows Registry update for NetWire

We can also find artifacts associated with a NetWire infection as shown in Figure 14 and Figure 15.

Figure 14. First example of file indicating data exfiltrated by NetWire RAT on 2020-03-25
Figure 15. Second example of file indicating data exfiltrated by NetWire RAT on March 25, 2020


These types of infections are not very effective against Windows 10 hosts using default security settings. Versions of Microsoft Office since 2013 have Protected View enabled by default that prevents users from enabling macros in Word documents downloaded from the Internet. Furthermore, Real-time protection and Tamper protection settings in Windows Defender were remarkably effective in preventing these infections within a Windows 10 test environment. Finally, within 24 hours of discovery, URLs serving the malware associated with these infections had been taken off-line.

However, criminal distribution of RATs and other types of commodity malware are often a cat-and-mouse game against security vendors. After one wave of malware is distributed, the binaries are updated, and another wave is quickly released into the wild. These efforts rely on wide-scale distribution from the criminals and poor security practices among potential victims. Only a small percentage infection attempts need to be successful for these efforts to be cost-effective.

Palo Alto Networks customers are further protected through our threat prevention platform which is designed to detect and block such threats, and AutoFocus shows these binaries as malicious. As long as this type of malware distribution remains cost-effective, criminals will continue to pursue such methods of attack.

Indicators of Compromise

Infection traffic - first run on 2020-03-25

    • 116.202.210[.]82 port 80 - murthydigitals[.]com - GET /PM_2019_Screen_18_Tax_File.doc
    • 213.219.212[.]206 port 80 - ptgteft[.]com - GET /Exten/TY1920/TY30.exe
    • 213.219.212[.]206 port 80 - matpincscr[.]com - GET /tec_encrypted_340BD0.bin
    • 185.163.47[.]213 port 2121 - www.Novmintservices[.]com - NetWire RAT post-infection TCP traffic

Infection traffic - second run on 2020-03-25

    • 104.27.138[.]31 port 80 - www.artizaa[.]com - GET /Andys_18US_Tax.doc
    • 213.219.212[.]206 port 80 - saidialxo[.]com - GET /lp.exe
    • 185.196.8[.]122 port 80 - www.rossogato[.]com - GET /ROSSO_encrypted_54E9BA0.bin
    • 185.163.47[.]168 port 2020 - www.myamystills[.]com - NetWire RAT post-infection TCP traffic

Malware - first run


    • Size: 117,204 bytes
    • Location: hxxp://murthydigitals[.]com/PM_2019_Screen_18_Tax_File.doc
    • Description: Word doc with malicious macro


    • Size: 65,536 bytes
    • Location: hxxp://ptgteft[.]com/Exten/TY1920/TY30.exe
    • Description: GuLoader retrieved after enabling macros


    • Size: 130,624 bytes
    • Location: hxxp://matpincscr[.]com/tec_encrypted_340BD0.bin
    • Description: Encrypted binary retrieved by GuLoader for NetWire RAT

Malware - second run


    • Size: 150,534 bytes
    • Location: hxxp://www.artizaa[.]com/Andys_18US_Tax.doc
    • Description: Word doc with malicious macro


    • Size: 69,632 bytes
    • Location: hxxp://saidialxo[.]com/lp.exe
    • Description: GuLoader retrieved after enabling macros


    • Size: 130,624 bytes
    • Location: hxxp://www.rossogato[.]com/ROSSO_encrypted_54E9BA0.bin
    • Description: Encrypted binary retrieved by GuLoader for NetWire RAT