GuLoader malware upgrades into a more elusive threat

The notorious GuLoader malware has recently unveiled a sophisticated anti-analysis tactic that poses a new threat to security providers and antivirus software solutions. Based on reports, the GULOADER malware developers have a novel approach that makes it even more elusive during its malicious operations.

The researchers explained that the technique employed by the malware operators uses the Windows applications’ Vectored Exception Handler (VEH) capability. GULOADER starts the attack process by incorporating the VEH through the use of ‘RtlAddVectoredExceptionHandler.’

This strategic execution from the attackers allows the malware to intercept and manage exceptions during the initiation of programs. Subsequently, the VEH methodically checks for hardware breakpoints, paving the way for the deployment of malicious payloads in the final stage of the attack since there are exceptions.

 

The GuLoader upgrades focus on new exceptions that make it more elusive.

 

The GuLoader malware’s recent success came from incorporating two new exceptions into its arsenal. The two recent additions to its anti-analysis techniques include EXCEPTION_PRIV_INSTRUCTION and EXCEPTION_ILLEGAL_INSTRUCTION, showing the malware’s adaptability and resilience against AV solutions and detection efforts.

This revelation comes from the latest trend among threat actors actively developing and implementing evasion tactics. Interestingly, a variant of GootLoader, GootBot, has recently emerged after threat actors employed custom-built bots in the late stages of a recent cyberattack to bypass detection mechanisms and help the rapid malware propagation throughout networks.

Another example is the WailingCrab malware loader, which cleverly used shipping-themed email messages to trick security checks before breaching targeted systems.

In conclusion, GULOADER remains one of the most formidable adversaries in the threat landscape. Its adoption of various sandbox evasion techniques, sophisticated code obfuscation, and multiple layers of encryption has allowed it to thwart conventional antivirus products.

Despite the malware’s core capability staying relatively consistent over the years, the continuous upgrades in obfuscation techniques emphasise that GULOADER is a dynamic and evolving threat.

As organisations handle this latest anti-evasion tactic, users should leverage updated YARA rules to upgrade their detection capabilities and stay ahead of this evolving malware. Lastly, organisations’ and users’ vigilance and adaptability remain crucial abilities that help fend off sophisticated cyber threats.