HQ/EMEAFind out how we can help your business
An advanced payload downloader called GuLoader malware has adopted various strategies to bypass security software.
According to researchers, the malware downloader uses anti-analysis methods to prevent researchers and other environments from scanning their movement inside a targeted network. GuLoader, also known as CloudEye, is a VBS downloader that threat actors utilise to spread remote access trojans (RAT), such as Remcos, on compromised devices. This malware was first discovered in the wild back in 2019.
A month ago, a JavaScript malware strain called RATDispenser appeared as a tool for dropping GuLoader through a Base64-encoded VBScript dropper.
The upgraded GuLoader malware has a multi-stage infection process.
The latest GuLoader malware sample discovered in the wild possesses a three-stage process, wherein its authors develop the VBScript to distribute a next-stage that runs anti-analysis checks before deploying shellcode embedded inside the VBScript into memory.
Subsequently, the shellcode downloads a final payload of the threat actor’s choice from a remote server and operates it on the infected host.
Based on reports, the shellcode adopts multiple anti-debugging and anti-analysis mechanisms in every stage of the malware execution. Hence, it could send an error message if the shellcode detects any analysis of debugging feature.
This strategy includes anti-disassembling and anti-debugging checks to check the presence of remote breakpoints and debugger, and if found by researchers, stop the shellcode. Moreover, the shellcode features scans for virtualisation software.
Cybersecurity researchers call an added capability a “redundant code injection mechanism.” This function is a feature to avoid NTDLL[.]dll hooks implemented by EDR solutions. The earlier mentioned [.]dll function is an API hooking, a strategy used by anti-malware solutions to spot and flag malicious processes on Windows through monitoring APIs that the threat actors exploit.
This method includes assembly instructions to get the necessary Windows API functions, allocate memory, and inject arbitrary shellcodes into a specific location through process hollowing.
These findings from a security firm paved the way for another researcher to demonstrate an EDR bypass technique dubbed “Blindside.” The method enables users to run arbitrary code by utilising hardware breakpoints to develop a process with only the NTDLL in a stand-alone, unhooked state.
