Menace hunters have unmasked the most recent methods adopted by a malware pressure known as GuLoader in an effort to make evaluation more difficult.
“Whereas GuLoader’s core performance hasn’t modified drastically over the previous few years, these fixed updates of their obfuscation strategies make analyzing GuLoader a time-consuming and resource-intensive course of,” Elastic Safety Labs researcher Daniel Stepanic mentioned in a report revealed this week.
First noticed in late 2019, GuLoader (aka CloudEyE) is a sophisticated shellcode-based malware downloader that is used to distribute a variety of payloads, reminiscent of info stealers, whereas incorporating a bevy of refined anti-analysis strategies to dodge conventional safety options.
A regular stream of open-source reporting into the malware in latest months has revealed the risk actors behind it have continued to enhance its means to bypass present or new security measures alongside different carried out options.
GuLoader is often unfold via phishing campaigns, the place victims are tricked into downloading and putting in the malware via emails bearing ZIP archives or hyperlinks containing a Visible Fundamental Script (VBScript) file.
Cracking the Code: Be taught How Cyber Attackers Exploit Human Psychology
Ever questioned why social engineering is so efficient? Dive deep into the psychology of cyber attackers in our upcoming webinar.
Israeli cybersecurity firm Verify Level, in September 2023, revealed that “GuLoader is now offered beneath a brand new title on the identical platform as Remcos and is implicitly promoted as a crypter that makes its payload totally undetectable by antiviruses.”
One of many latest modifications to the malware is an enchancment of an anti-analysis approach first disclosed by CrowdStroke in December 2022 and which is centered round its Vectored Exception Dealing with (VEH) functionality.
It is price mentioning that the mechanism was beforehand detailed by each McAfee Labs and Verify Level in Might 2023, with the previous stating that “GuLoader employs the VEH primarily for obfuscating the execution circulation and to decelerate the evaluation.”
The tactic “consists of breaking the conventional circulation of code execution by intentionally throwing a lot of exceptions and dealing with them in a vector exception handler that transfers management to a dynamically calculated handle,” Verify Level mentioned.
GuLoader is much from the one malware household to have acquired fixed updates. One other notable instance is DarkGate, a distant entry trojan (RAT) that allows attackers to totally compromise sufferer methods.
Offered as malware-as-a-service (MaaS) by an actor generally known as RastaFarEye on underground boards for a month-to-month charge of $15,000, the malware makes use of phishing emails containing hyperlinks to distribute the preliminary an infection vector: a VBScript or Microsoft Software program Installer (MSI) file.
Trellix, which analyzed the most recent model of DarkGate (5.0.19), mentioned it “introduces a brand new execution chain utilizing DLL side-loading and enhanced shellcodes and loaders.” Additional, it comes with a whole rework of the RDP password theft function.
(Supply: Trellix) Overview of the DarkGate v5 multistage set up chain |
“The risk actor has been actively monitoring risk stories to carry out fast modifications thus evading detections,” safety researchers Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll, and Vinoo Thomas mentioned.
“Its adaptability, the velocity with which it iterates, and the depth of its evasion strategies attest to the sophistication of contemporary malware threats.”
The event comes as distant entry trojans like Agent Tesla and AsyncRAT have been noticed being propagated utilizing novel email-based an infection chains that leverage steganography and unusual file sorts in an try and bypass antivirus detection measures.
It additionally follows a report from the HUMAN Satori Menace Intelligence Staff about how an up to date model of a malware obfuscation engine known as ScrubCrypt (aka BatCloak) is getting used to ship the RedLine stealer malware.
“The brand new ScrubCrypt construct was offered to risk actors on a small handful of darkish net marketplaces, together with Nulled Discussion board, Cracked Discussion board, and Hack Boards,” the corporate mentioned.