Security experts have unmasked a new trick adopted by the GULOADER malware to evade detection by antivirus software. The highly evasive shellcode downloader malware, which typically spreads through emails bearing ZIP archives or links containing a VBScript file, has been found leveraging Vectored Exception Handler (VEH) capability to make analysis challenging.
More in detail
- GULOADER starts this process by adding the VEH using ‘RtlAddVectoredExceptionHandler,’ allowing the malware to intercept and handle exceptions during program execution.
- When these exceptions are triggered, the VEH checks for hardware breakpoints and subsequently deploys malicious payloads in the final stage.
Researchers note that while the technique is not new, the malware continues to add new exceptions over time as part of its anti-analysis tactics. Two of these exceptions, EXCEPTION_PRIV_INSTRUCTION and EXCEPTION_ILLEGAL_INSTRUCTION, were added to the malware in the last few months.
More threat actors working on evasion tactics
- The development comes days after researchers discovered a new variant of GootLoader, named GootBot, using custom-built bots in the late stage of the attack to avoid detection. This allowed the attackers to rapidly spread the malware throughout the network and deploy further payloads.
- In another instance, a malware loader known as WailingCrab used shipping-themed email messages to bypass security checks before being deployed onto the victims’ systems.
Conclusion
GULOADER employs a variety of sandbox evasion techniques, code obfuscation, and multiple layers of encryption to counteract antivirus products. While the core functionality of the malware has not changed drastically over the past few years, the updates in its obfuscation techniques indicate that GULOADER is under constant development. Coming to the latest anti-evasion tactic, organizations can leverage the latest YARA rules from Elastic Security to detect malware.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_386333641.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/fce9_shutterstock_1868295205.jpg)
