Cybersecurity researchers have uncovered all kinds of methods adopted by a complicated malware downloader known as GuLoader to evade safety software program.
“New shellcode anti-analysis approach makes an attempt to thwart researchers and hostile environments by scanning whole course of reminiscence for any digital machine (VM)-related strings,” CrowdStrike researchers Sarang Sonawane and Donato Onofri stated in a technical write-up printed final week.
GuLoader, additionally known as CloudEyE, is a Visible Primary Script (VBS) downloader that is used to distribute distant entry trojans resembling Remcos on contaminated machines. It was first detected within the wild in 2019.
In November 2021, a JavaScript malware pressure dubbed RATDispenser emerged as a conduit for dropping GuLoader via a Base64-encoded VBScript dropper.
A latest GuLoader pattern unearthed by CrowdStrike displays a three-stage course of whereby the VBScript is designed to ship a next-stage that performs anti-analysis checks earlier than injecting shellcode embedded throughout the VBScript into reminiscence.
The shellcode, in addition to incorporating the identical anti-analysis strategies, downloads a closing payload of the attacker’s alternative from a distant server and executes it on the compromised host.
“The shellcode employs a number of anti-analysis and anti-debugging methods at each step of execution, throwing an error message if the shellcode detects any recognized evaluation of debugging mechanisms,” the researchers identified.
This consists of anti-debugging and anti-disassembling checks to detect the presence of a distant debugger and breakpoints, and if discovered, terminate the shellcode. The shellcode additionally options scans for virtualization software program.
An added functionality is what the cybersecurity firm calls a “redundant code injection mechanism” to keep away from NTDLL.dll hooks applied by endpoint detection and response (EDR) options.
NTDLL.dll API hooking is a method utilized by anti-malware engines to detect and flag suspicious processes on Home windows by monitoring the APIs which can be recognized to be abused by risk actors.
In a nutshell, the strategy includes utilizing meeting directions to invoke the mandatory home windows API operate to allocate reminiscence (i.e., NtAllocateVirtualMemory) and inject arbitrary shellcode into that location through course of hollowing.
The findings from CrowdStrike additionally come as cybersecurity agency Cymulate demonstrated an EDR bypass approach often known as Blindside that permits for operating arbitrary code through the use of {hardware} breakpoints to create a “course of with solely the NTDLL in a stand-alone, unhooked state.”
“GuLoader stays a harmful risk that is been consistently evolving with new strategies to evade detection,” the researchers concluded.