Researchers in cybersecurity have revealed a wide range of strategies used by the sophisticated malware downloader GuLoader to avoid security software. GuLoader, also known as CloudEyE, is a Visual Basic Script (VBS) downloader employed to spread remote access trojans on compromised computers. It was first discovered in the wild in 2019.
“New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings,” CrowdStrike researchers Donato Onofri and Sarang Sonawane said in a technical post released last week.
A JavaScript malware variant called RATDispenser that dropped GuLoader via a VBScript dropper encoded in Base64 first surfaced in November 2021. In a recent GuLoader sample found by CrowdStrike, VBScript is used in the second stage of a three-stage process to deliver shellcode encoded within the VBScript before anti-analysis checks are performed on the data.
In addition to using the same anti-analysis techniques, the shellcode downloads the attacker’s preferred final payload from a remote server and executes it on the infected host. The researchers said that the shellcode uses a variety of anti-analysis and anti-debugging techniques at every stage of execution and will throw an error message if it finds any available analysis or debugging methods.
Anti-debugging and anti-disassembling checks are made as part of this to look for a remote debugger and breakpoints and, if either is present, to terminate the shellcode. Additionally, the shellcode checks for virtualization software. The cybersecurity firm describes a “redundant code injection mechanism” as an additional capacity to prevent NTDLL.dll hooks used by endpoint detection and response (EDR) solutions.
By watching the APIs known to be misused by threat actors, anti-malware engines may identify and report suspicious processes running on Windows using the NTDLL.dll API hooking approach. The solution entails injecting arbitrary shellcode into memory via process hollowing and calling the appropriate NtAllocateVirtualMemory windows API function using assembly instructions.
The CrowdStrike findings also coincide with the release of Blindside by cybersecurity company Cymulate, which uses hardware breakpoints to create a process with just the NTDLL operating in a stand-alone, unhooked state. Blindside enables the execution of arbitrary code. The researchers came to the conclusion that GuLoader is still a significant threat that is continually developing with new evasion techniques.