GuLoader (aka CloudEyE), an advanced malware downloader, is known to experiment with a variety of anti-analysis techniques. Recently, the malware operators have used a new shellcode anti-analysis technique to avoid execution in virtualized environments.
What’s new?
CrowdStrike researchers mapped all embedded DJB2 hash values for every API used by the new malware sample and disclosed that it is using an updated delivery mechanism and a polymorphic shellcode loader to avoid traditional security solutions.
- It exhibits a three-stage process wherein the VBScript is designed to deliver a second-stage packed payload.
- The payload performs anti-analysis checks before injecting shellcode embedded within the VBScript into memory.
- The same process occurs multiple times at every step until the final payload is dropped.
- The final payload drops additional RATs such as Remcos on infected machines.
The malware payload scans entire process memory for any virtual machine-related strings to thwart researchers and hostile virtualized environments.
Redundant code injection mechanism
The researchers noticed that if the injection technique fails, it uses a new redundant code injection mechanism.
- The new variants employ the mechanism to avoid NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions.
- It ensures code execution by using inline assembly to invoke the necessary windows API function to allocate memory and inject arbitrary shellcode into that location via process hollowing.
Conclusion
GuLoaders’s multistage deployment extensively covers a wide range of anti-evasion techniques and behaviors. Its constant evolution with new methods to evade detection makes it a potential threat for times to come.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/3b80_shutterstock_1063646387.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/b243_shutterstock_586345352.jpg)
