Best Top Reviews Online

Malware GuLoader Using New Methods to Avoid Security Software

Researchers in cyber security have uncovered a vast array of techniques used by the advanced malware downloader GuLoader to circumvent security software.

“New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings,” CrowdStrike researchers Sarang Sonawane and Donato Onofri wrote in a week-old technical paper.

GuLoader, also known as CloudEyE, is a Visual Basic Script (VBS) downloader used to distribute Remcos and other remote access trojans on compromised machines. In 2019, it was first discovered in the wild.

In November 2021, RATDispenser, a JavaScript malware strain, emerged as a conduit for distributing GuLoader via a Base64-encoded VBScript dropper.

CrowdStrike has discovered that recent GuLoader samples exhibit a three-stage process in which the VBScript is designed to deliver a subsequent stage that performs anti-analysis checks before injecting shellcode embedded within the VBScript into memory.

In addition to incorporating the same anti-analysis techniques, the shellcode downloads and executes a final payload of the attacker’s choosing from a remote server on the compromised host.

“The shellcode employs multiple anti-analysis and anti-debugging techniques at each step of execution, throwing an error message if it detects any known analysis of debugging mechanisms,” the researchers explained.

This includes anti-debugging and anti-disassembling checks to detect the presence of remote debuggers and breakpoints and terminate the shellcode if they are discovered. In addition, the shellcode includes scans for virtualization software.

The added capability is what the cybersecurity company refers to as a “redundant code injection mechanism” to circumvent endpoint detection and response (EDR) solutions’ NTDLL.dll hooks.

Anti-malware engines use NTDLL.dll API hooking to detect and flag suspicious Windows processes by monitoring APIs that are known to be abused by threat actors.

In a nutshell, the method involves invoking the required Windows API function to allocate memory (i.e., NtAllocateVirtualMemory) using assembly instructions and injecting arbitrary shellcode into that location via process hollowing.

CrowdStrike’s findings coincide with a demonstration by the cybersecurity firm Cymulate of an EDR bypass technique called Blindside, which permits the execution of arbitrary code by using hardware breakpoints to create a “process with only the NTDLL in a standalone, unhooked state.”

The researchers concluded, “GuLoader remains a dangerous threat that is constantly evolving with new methods to avoid detection.”

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Apple Introduces A New Security Research Website

October 28, 2022

Apple Security Research is a new website dedicated to improving the methods available to security researchers for reporting issues to Apple. The website provides tools for sending Apple security reports, receiving real-time status updates, and contacting Apple engineers. In addition…

20 Million Users Download Shady Reward Apps From Google Play

January 29, 2023

More than 20 million devices have downloaded a new category of activity-tracking applications from Google Play, Android’s official app store, in recent months. The applications promote themselves as health, pedometer, and good habit-building applications, promising users random rewards for remaining…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of