GuLoader implements new evasion techniquesSecurity Affairs | Savvy Tech

Cybersecurity researchers uncovered new evasion strategies adopted by a complicated malware downloader referred to as GuLoader.

CrowdStrike researchers detailed a number of evasion strategies carried out by a complicated malware downloader referred to as GuLoader (also called CloudEyE).

GuLoader makes use of a polymorphic shellcode loader to bypass conventional safety options, specialists mapped all built-in DJB2 hashes for every API utilized by the malicious code.

The malware makes use of an anti-analysis method to keep away from execution in virtualized environments.

“By dissecting the GuLoader shellcode, CrowdStrike revealed a brand new anti-scanning method aimed toward detecting whether or not the malware is operating in a hostile atmosphere by scanning your entire course of reminiscence for digital machine (VM) associated strings. learn the evaluation printed by CrowdStrike.

“The brand new redundant code injection mechanism means making certain code execution through the use of inline meeting to keep away from user-mode hooks from safety options.”

GuLoader first appeared on the menace panorama in 2019, it was utilized by menace actors to obtain a number of Distant Entry Trojans (RATs) akin to AgentTesla, FormBook, Nanocore, NETWIRE, and Parallax RATs.

Early variations of GuLoader have been distributed by way of spam messages utilizing attachments containing the malicious executable. Current variants have been delivered by way of a Visible Primary Script (VBS) file.

“GuLoader additionally started to make use of superior anti-scanning strategies to evade detection, akin to anti-debugging, anti-sandboxing, anti-VM, and anti-detection to make it troublesome to scan.” learn the evaluation.

A latest variant of GuLoader reviewed by specialists displays a multi-stage implementation:

• the primary state of affairs makes use of a VBS dropper file to drop a second-stage packaged payload right into a registry key. It then makes use of a PowerShell script to execute and unpack the second stage payload from the in-memory registry key.
• The Second stage payload performs all of the anti-scan routines (described beneath), creates a Home windows course of (for instance, an ieinstal.exe) and injects the identical shellcode into the brand new course of.
• the third stage it re-implements all anti-scanning strategies, downloads the ultimate payload from a distant server and runs it on the sufferer’s machine.

The malware implements anti-debugging and anti-teardown checks to detect the presence of breakpoints used for code evaluation.

The researchers additionally famous using a redundant code injection mechanism to bypass the NTDLL.dll hooks utilized by antivirus and EDR options to detect malicious exercise.

“Then map that part by way of NtMapViewofSection on the suspended course of.” evaluation continues. “If this injection method fails, it makes use of the next redundancy methodology:

a. NtAllocateVirtualMemory by calling the inline meeting directions (with out calling ntdll.dll, to bypass the AV/EDR user-mode hooks) of that perform, utilizing the next meeting stub:

mov eax,18                           
mov edx,ntdll.77178850       
name edx                           
ret 18  

It makes use of NtWriteProcessMemory to repeat the identical shellcode to that just about allotted handle. Makes use of NtWriteProcessMemory to repeat the identical shellcode to that just about assigned handle.”

The specialists identified that GuLoader remains to be a harmful menace that’s continuously evolving, in addition they shared indicators of compromise for the newest variant of the downloader.

Observe me on twitter: @safetyissues Y Fb Y Mastodon

Pierluigi Paganini

(Safety Points – hacking, GuLoader)

---

share on