GuLoader Malware Using New Strategies to Evade Safety Software program

Dec 26, 2022Ravie LakshmananReverse Engineering

Cybersecurity researchers have uncovered all kinds of methods adopted by a sophisticated malware downloader referred to as GuLoader to evade safety software program.

“New shellcode anti-analysis method makes an attempt to thwart researchers and hostile environments by scanning whole course of reminiscence for any digital machine (VM)-related strings,” CrowdStrike researchers Sarang Sonawane and Donato Onofri said in a technical write-up revealed final week.

GuLoader, additionally referred to as CloudEyE, is a Visible Fundamental Script (VBS) downloader that is used to distribute distant entry trojans on contaminated machines. It was first detected within the wild in 2019.

In November 2021, a JavaScript malware pressure dubbed RATDispenser emerged as a conduit for dropping GuLoader via a Base64-encoded VBScript dropper.


A latest GuLoader pattern unearthed by CrowdStrike displays a three-stage course of whereby the VBScript is designed to ship a next-stage that performs anti-analysis checks earlier than injecting shellcode embedded inside the VBScript into reminiscence.

The shellcode, apart from incorporating the identical anti-analysis strategies, downloads a last payload of the attacker’s alternative from a distant server and executes it on the compromised host.

“The shellcode employs a number of anti-analysis and anti-debugging methods at each step of execution, throwing an error message if the shellcode detects any identified evaluation of debugging mechanisms,” the researchers identified.

This contains anti-debugging and anti-disassembling checks to detect the presence of a distant debugger and breakpoints, and if discovered, terminate the shellcode. The shellcode additionally options scans for virtualization software program.

An added functionality is what the cybersecurity firm calls a “redundant code injection mechanism” to keep away from NTDLL.dll hooks carried out by endpoint detection and response (EDR) options.

NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Home windows by monitoring the APIs which might be identified to be abused by menace actors.

In a nutshell, the tactic entails utilizing meeting directions to invoke the mandatory home windows API operate to allocate reminiscence (i.e., NtAllocateVirtualMemory) and inject arbitrary shellcode into reminiscence by way of process hollowing.

The findings from CrowdStrike additionally come as cybersecurity agency Cymulate demonstrated an EDR bypass method referred to as Blindside that permits for operating arbitrary code through the use of {hardware} breakpoints to create a “course of with solely the NTDLL in a stand-alone, unhooked state.”

“GuLoader stays a harmful menace that is been continually evolving with new strategies to evade detection,” the researchers concluded.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.