Researchers in cyber security have uncovered a vast array of techniques used by the advanced malware downloader GuLoader to circumvent security software.
“New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings,” CrowdStrike researchers Sarang Sonawane and Donato Onofri wrote in a week-old technical paper.
GuLoader, also known as CloudEyE, is a Visual Basic Script (VBS) downloader used to distribute Remcos and other remote access trojans on compromised machines. In 2019, it was first discovered in the wild.
In November 2021, RATDispenser, a JavaScript malware strain, emerged as a conduit for distributing GuLoader via a Base64-encoded VBScript dropper.
CrowdStrike has discovered that recent GuLoader samples exhibit a three-stage process in which the VBScript is designed to deliver a subsequent stage that performs anti-analysis checks before injecting shellcode embedded within the VBScript into memory.
In addition to incorporating the same anti-analysis techniques, the shellcode downloads and executes a final payload of the attacker’s choosing from a remote server on the compromised host.
“The shellcode employs multiple anti-analysis and anti-debugging techniques at each step of execution, throwing an error message if it detects any known analysis of debugging mechanisms,” the researchers explained.
This includes anti-debugging and anti-disassembling checks to detect the presence of remote debuggers and breakpoints and terminate the shellcode if they are discovered. In addition, the shellcode includes scans for virtualization software.
The added capability is what the cybersecurity company refers to as a “redundant code injection mechanism” to circumvent endpoint detection and response (EDR) solutions’ NTDLL.dll hooks.
Anti-malware engines use NTDLL.dll API hooking to detect and flag suspicious Windows processes by monitoring APIs that are known to be abused by threat actors.
In a nutshell, the method involves invoking the required Windows API function to allocate memory (i.e., NtAllocateVirtualMemory) using assembly instructions and injecting arbitrary shellcode into that location via process hollowing.
CrowdStrike’s findings coincide with a demonstration by the cybersecurity firm Cymulate of an EDR bypass technique called Blindside, which permits the execution of arbitrary code by using hardware breakpoints to create a “process with only the NTDLL in a standalone, unhooked state.”
The researchers concluded, “GuLoader remains a dangerous threat that is constantly evolving with new methods to avoid detection.”
