Cybersecurity researchers have uncovered all kinds of methods adopted by a sophisticated malware downloader referred to as GuLoader to evade safety software program.
“New shellcode anti-analysis approach makes an attempt to thwart researchers and hostile environments by scanning total course of reminiscence for any digital machine (VM)-related strings,” CrowdStrike researchers Sarang Sonawane and Donato Onofri said in a technical write-up revealed final week.
GuLoader, additionally referred to as CloudEyE, is a Visible Primary Script (VBS) downloader that is used to distribute distant entry trojans on contaminated machines. It was first detected within the wild in 2019.
In November 2021, a JavaScript malware pressure dubbed RATDispenser emerged as a conduit for dropping GuLoader via a Base64-encoded VBScript dropper.
A latest GuLoader pattern unearthed by CrowdStrike reveals a three-stage course of whereby the VBScript is designed to ship a next-stage that performs anti-analysis checks earlier than injecting shellcode embedded throughout the VBScript into reminiscence.
The shellcode, moreover incorporating the identical anti-analysis strategies, downloads a ultimate payload of the attacker’s alternative from a distant server and executes it on the compromised host.
“The shellcode employs a number of anti-analysis and anti-debugging tips at each step of execution, throwing an error message if the shellcode detects any identified evaluation of debugging mechanisms,” the researchers identified.
This contains anti-debugging and anti-disassembling checks to detect the presence of a distant debugger and breakpoints, and if discovered, terminate the shellcode. The shellcode additionally options scans for virtualization software program.
An added functionality is what the cybersecurity firm calls a “redundant code injection mechanism” to keep away from NTDLL.dll hooks carried out by endpoint detection and response (EDR) options.
NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Home windows by monitoring the APIs which are identified to be abused by menace actors.
In a nutshell, the tactic includes utilizing meeting directions to invoke the required home windows API perform to allocate reminiscence (i.e., NtAllocateVirtualMemory) and inject arbitrary shellcode into reminiscence by way of process hollowing.
The findings from CrowdStrike additionally come as cybersecurity agency Cymulate demonstrated an EDR bypass approach often called Blindside that permits for working arbitrary code by utilizing {hardware} breakpoints to create a “course of with solely the NTDLL in a stand-alone, unhooked state.”
“GuLoader stays a harmful menace that is been continually evolving with new strategies to evade detection,” the researchers concluded.