The content material of this put up is solely the duty of the writer. AT&T doesn’t undertake or endorse any of the views, positions, or data offered by the writer on this article.
This weblog was collectively authored with Arjun Patel.
GuLoader is a malware downloader that’s primarily used for distributing different shellcode and malware equivalent to ransomware and banking Trojans. It was first found within the wild in late 2019 and has since turn into a well-liked selection amongst cybercriminals as a consequence of its effectiveness and ease of use. Researchers at cybersecurity agency CrowdStrike have just lately revealed a technical write-up detailing the varied methods utilized by GuLoader to keep away from detection.
One of the important thing options of GuLoader is its skill to evade detection by conventional safety options. It makes use of a number of methods to keep away from being detected, together with packing and encryption, in addition to using reputable web sites and providers as command and management (C2) servers. It additionally employs superior anti-debugging and anti-analysis methods, which makes it tough for safety researchers to reverse engineer and analyze its code.
GuLoader is often unfold via phishing campaigns, the place victims are tricked into downloading and putting in the malware via emails or hyperlinks containing a Visual Basic script file. It can be distributed via different means, equivalent to drive-by downloads, the place the malware is delivered to a sufferer’s pc via an internet browser with out the sufferer’s data.
GuLoader makes use of a three-stage course of to ship the ultimate payload to the contaminated host. During the primary stage, the VBScript dropper file will get downloaded right into a registry key as a persistence mechanism and delivers a next-stage payload. The second stage payload performs anti-analysis checks earlier than injecting shellcode into reminiscence.
If these checks are profitable, the shellcode then downloads the ultimate payload from a distant server and executes it on the compromised host. The shellcode incorporates numerous anti-analysis and anti-debugging measures, together with checks for the presence of a distant debugger and breakpoints, scans for virtualization software program, and the usage of a “redundant code injection mechanism” to keep away from NTDLL.dll hooks carried out by endpoint detection and response (EDR) options.
*encrypted last payload
NTDLL.dll API hooking is a method utilized by anti-malware engines to detect and flag suspicious processes on Windows by monitoring APIs which are identified to be abused by risk actors. The methodology includes utilizing meeting directions to invoke the required Windows API perform to allocate reminiscence and inject arbitrary shellcode into that location through course of hollowing. GuLoader’s “redundant code injection mechanism” is designed to keep away from these NTDLL.dll hooks, making it harder for EDR options to detect and flag the malware.
One of the ways in which GuLoader evades detection is thru its use of reputable web sites and providers equivalent to C2 servers. This signifies that it makes use of web sites that aren’t identified to be malicious as a way of speaking with its command-and-control (C2) middle. This could make it tough for safety researchers to determine the C2 servers being utilized by the malware, as they aren’t usually flagged as malicious.
In addition to its superior evasion methods, GuLoader can be extremely customizable, which permits cybercriminals to tailor the malware to their particular wants. This contains the power to alter the looks of the malware, in addition to its conduct and performance.
Also, GuLoader has additionally been noticed utilizing JavaScript malware pressure RATDispenser to drop the malware through a Base64-encoded VBScript dropper. This permits the malware to bypass safety measures and achieve entry to contaminated techniques.
About Perimeterwatch
PerimeterWatch provides you complete management and administration over your information. The price of change on the web, cellular, distributed processing and different applied sciences is- merely staggering. Failing to maintain up can doom even a well-established group, however bringing in these new capabilities with out totally efficient safety procedures and techniques can be equally disastrous.
What PerimeterWatch presents is a very safe IT infrastructure. Whether meaning a very managed IT and safety perform or co-managing along with your in-house individuals, we present the safety intelligence, the technical experience and the implementation expertise obligatory to verify your options remedy your online business issues – with out merely creating new ones.