The content material of this put up is solely the accountability of the creator. AT&T doesn’t undertake or endorse any of the views, positions, or info supplied by the creator on this article.
This weblog was collectively authored with Arjun Patel.
GuLoader is a malware downloader that’s primarily used for distributing different shellcode and malware comparable to ransomware and banking Trojans. It was first found within the wild in late 2019 and has since turn out to be a preferred alternative amongst cybercriminals because of its effectiveness and ease of use. Researchers at cybersecurity agency CrowdStrike have lately revealed a technical write-up detailing the assorted strategies utilized by GuLoader to keep away from detection.
One of many key options of GuLoader is its means to evade detection by conventional safety options. It makes use of a number of strategies to keep away from being detected, together with packing and encryption, in addition to using respectable web sites and companies as command and management (C2) servers. It additionally employs superior anti-debugging and anti-analysis strategies, which makes it troublesome for safety researchers to reverse engineer and analyze its code.
GuLoader is often unfold by means of phishing campaigns, the place victims are tricked into downloading and putting in the malware by means of emails or hyperlinks containing a Visible Primary script file. It can be distributed by means of different means, comparable to drive-by downloads, the place the malware is delivered to a sufferer’s pc by means of an internet browser with out the sufferer’s data.
GuLoader makes use of a three-stage course of to ship the ultimate payload to the contaminated host. In the course of the first stage, the VBScript dropper file will get downloaded right into a registry key as a persistence mechanism and delivers a next-stage payload. The second stage payload performs anti-analysis checks earlier than injecting shellcode into reminiscence.
If these checks are profitable, the shellcode then downloads the ultimate payload from a distant server and executes it on the compromised host. The shellcode incorporates numerous anti-analysis and anti-debugging measures, together with checks for the presence of a distant debugger and breakpoints, scans for virtualization software program, and using a “redundant code injection mechanism” to keep away from NTDLL.dll hooks carried out by endpoint detection and response (EDR) options.
*encrypted ultimate payload
NTDLL.dll API hooking is a way utilized by anti-malware engines to detect and flag suspicious processes on Home windows by monitoring APIs which can be recognized to be abused by menace actors. The strategy includes utilizing meeting directions to invoke the required Home windows API perform to allocate reminiscence and inject arbitrary shellcode into that location through course of hollowing. GuLoader’s “redundant code injection mechanism” is designed to keep away from these NTDLL.dll hooks, making it harder for EDR options to detect and flag the malware.
One of many ways in which GuLoader evades detection is thru its use of respectable web sites and companies comparable to C2 servers. Because of this it makes use of web sites that aren’t recognized to be malicious as a way of speaking with its command-and-control (C2) middle. This may make it troublesome for safety researchers to determine the C2 servers being utilized by the malware, as they aren’t usually flagged as malicious.
Along with its superior evasion strategies, GuLoader can also be extremely customizable, which permits cybercriminals to tailor the malware to their particular wants. This contains the flexibility to vary the looks of the malware, in addition to its conduct and performance.
Additionally, GuLoader has additionally been noticed utilizing JavaScript malware pressure RATDispenser to drop the malware through a Base64-encoded VBScript dropper. This enables the malware to bypass safety measures and achieve entry to contaminated methods.
About Perimeterwatch
PerimeterWatch offers you whole management and administration over your information. The speed of change on the web, cellular, distributed processing and different applied sciences is- merely staggering. Failing to maintain up can doom even a well-established group, however bringing in these new capabilities with out totally efficient safety procedures and methods can be equally disastrous.
What PerimeterWatch presents is a really safe IT infrastructure. Whether or not meaning a very managed IT and safety perform or co-managing along with your in-house individuals, we present the safety intelligence, the technical experience and the implementation expertise essential to ensure your options resolve your corporation issues – with out merely creating new ones.
