Cybersecurity researchers have uncovered all kinds of strategies adopted by a sophisticated malware downloader known as GuLoader to evade safety software program.
“New shellcode anti-analysis approach makes an attempt to thwart researchers and hostile environments by scanning complete course of reminiscence for any digital machine (VM)-related strings,” CrowdStrike researchers Sarang Sonawane and Donato Onofri stated in a technical write-up printed final week.
GuLoader, additionally known as CloudEyE, is a Visible Fundamental Script (VBS) downloader that is used to distribute distant entry trojans on contaminated machines. It was first detected within the wild in 2019.
In November 2021, a JavaScript malware pressure dubbed RATDispenser emerged as a conduit for dropping GuLoader via a Base64-encoded VBScript dropper.
A latest GuLoader pattern unearthed by CrowdStrike reveals a three-stage course of whereby the VBScript is designed to ship a next-stage that performs anti-analysis checks earlier than injecting shellcode embedded inside the VBScript into reminiscence.
The shellcode, moreover incorporating the identical anti-analysis strategies, downloads a closing payload of the attacker’s selection from a distant server and executes it on the compromised host.
“The shellcode employs a number of anti-analysis and anti-debugging methods at each step of execution, throwing an error message if the shellcode detects any recognized evaluation of debugging mechanisms,” the researchers identified.
This contains anti-debugging and anti-disassembling checks to detect the presence of a distant debugger and breakpoints, and if discovered, terminate the shellcode. The shellcode additionally options scans for virtualization software program.
An added functionality is what the cybersecurity firm calls a “redundant code injection mechanism” to keep away from NTDLL.dll hooks carried out by endpoint detection and response (EDR) options.
NTDLL.dll API hooking is a approach used by anti-malware engines to detect and flag suspicious processes on Home windows by monitoring the APIs which might be recognized to be abused by risk actors.
In a nutshell, the tactic entails utilizing meeting directions to invoke the mandatory home windows API perform to allocate reminiscence (i.e., NtAllocateVirtualMemory) and inject arbitrary shellcode into reminiscence by way of course of hollowing.
The findings from CrowdStrike additionally come as cybersecurity agency Cymulate demonstrated an EDR bypass approach often known as Blindside that enables for working arbitrary code by utilizing {hardware} breakpoints to create a “course of with solely the NTDLL in a stand-alone, unhooked state.”
“GuLoader stays a harmful risk that is been continuously evolving with new strategies to evade detection,” the researchers concluded.