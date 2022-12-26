Cyber ​​security researchers have exposed the wide variety of techniques used by a new advanced malware downloader, called GuLoaderto evade the various software security systems (antivirus, antimalware, etc.).

What “circumvention” technique does GuLoader malware use?

“The new technique [che usa questo malware] which avoids shellcode parsing, attempts to thwart researchers and hostile environments [ad esempio antivirus] scanning the entire memory of the process looking for any string related to the virtual machine (VM)“, they have said CrowdStrike researchers Sarang Sonawane and Donato Onofri in an article they published last week.

GuLoader, also called CloudEyE, is a Visual Basic Script (VBS) downloader used to distribute Trojans for remote access to infected machines; this cyber threat was first detected within the “wild world of the internet” in 2019.

As of November 2021, a strain of JavaScript malware dubbed RATDispenser literally appeared out of nowhere as some kind of medium, whose purpose was to distribute GuLoader via a Base64 encoded VBScript dropper.

A recent GuLoader example unearthed by CrowdStrike demonstrates a three-step process where it is shown that the VBScript in question was designed to provide a next step that performs anti-parsing checks before injecting the shellcode embedded in the VBScript into memory.

The shellcode, in addition to incorporating the same anti-analysis methods, downloads a payload of the attacker’s choice from a remote server and executes it on the compromised device.

“The shellcode employs various anti-analysis and anti-debugging tricks at each stage of execution, throwing an error message if the shellcode detects any known debugging mechanisms“, the researchers stressed.

This includes, therefore, anti-debug and anti-disassembling checks to detect the presence of a remote debugger and interrupts and, if these points are detected, terminate the shellcode; the shellcode also features scans for virtualization software (virtual machines, such as VirtualBox of Oracle).

An additional feature of this malware, GuLoader, which the cyber security firm has documented as a “redundant code injection mechanism“, is to avoid the hook of the file NTDLL.dllimplemented by Endpoint Detection and Response (EDR) solutions.

The NTDLL.dll API hook is a technique used by anti-malware engines to detect and flag suspicious processes on Windows by monitoring APIs known to be abused by malicious actors.

Synthesizing to the bone: the method involves the use of assembly language instructions to call the Windows API function necessary to allocate memory (for example, NtAllocateVirtualMemory) and inject malicious shellcode into memory via process flushing (emptying cache memory, essentially).

The CrowdStrike researchers’ findings come following the discovery by cybersecurity firm Cymulate that using a particular EDR bypass technique known as Blindside allows you to execute malicious code using dots interrupts hardware to create a “process with only the NTDLL in a self-contained, deployed state“.

“GuLoader remains a dangerous threat that has constantly evolved with new methods to evade detection“, concluded the researchers.

What to do if you encounter this cyber threat

As mentioned above, GuLoader manages to bypass checks, so even good antivirus and antimalware, such as Malwarebytes, may not be able to detect it.

DLL file means Windows, therefore it is Windows users who need to pay attention.

The rules of paying attention to deceptive emails and browsing habits always apply, especially on strange sites where you are not sure what is circulating; unfortunately not even legitimate platforms like Github have proven to be “safe” in the long run.

A method to be able to detect it on your own could be to check the Windows task manager and see if there is any abnormal process to disable it; if you’re lucky, maybe an item to uninstall appears in the Windows uninstall programs menu (but it’s unlikely, unfortunately).

It must be said that this is malware that downloads other malware, perhaps the others can even be detected by Windows defender, but since he is the “queen ant”, it could take some time before the antivirus and antimalware software houses , manage to get around the fact that it hides from detections.

At best, perhaps a restore to a recent Windows session would fix the problem, at worst, GuLoader’s damages are no longer fixable, unfortunately you may need to reinstall the operating system from scratch with a clean install.