GuLoader – a highly effective and versatile malware that can evade detection

Read Time:4 Minute, 42 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

This blog was jointly authored with Arjun Patel.

GuLoader is a malware downloader that is primarily used for distributing other shellcode and malware such as ransomware and banking Trojans. It was first discovered in the wild in late 2019 and has since become a popular choice among cybercriminals due to its effectiveness and ease of use. Researchers at cybersecurity firm CrowdStrike have recently published a technical write-up detailing the various techniques used by GuLoader to avoid detection.

One of the key features of GuLoader is its ability to evade detection by traditional security solutions. It uses several techniques to avoid being detected, including packing and encryption, as well as utilizing legitimate websites and services as command and control (C2) servers. It also employs advanced anti-debugging and anti-analysis techniques, which makes it difficult for security researchers to reverse engineer and analyze its code.

GuLoader is typically spread through phishing campaigns, where victims are tricked into downloading and installing the malware through emails or links containing a Visual Basic script file. It can also be distributed through other means, such as drive-by downloads, where the malware is delivered to a victim’s computer through a web browser without the victim’s knowledge.

GuLoader utilizes a three-stage process to deliver the final payload to the infected host. During the first stage, the VBScript dropper file gets downloaded into a registry key as a persistence mechanism and delivers a next-stage payload. The second stage payload performs anti-analysis checks before injecting shellcode into memory.

If these checks are successful, the shellcode then downloads the final payload from a remote server and executes it on the compromised host. The shellcode incorporates various anti-analysis and anti-debugging measures, including checks for the presence of a remote debugger and breakpoints, scans for virtualization software, and the use of a “redundant code injection mechanism” to avoid NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions.

*encrypted final payload

NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Windows by monitoring APIs that are known to be abused by threat actors. The method involves using assembly instructions to invoke the necessary Windows API function to allocate memory and inject arbitrary shellcode into that location via process hollowing. GuLoader’s “redundant code injection mechanism” is designed to avoid these NTDLL.dll hooks, making it more difficult for EDR solutions to detect and flag the malware.

One of the ways that GuLoader evades detection is through its use of legitimate websites and services such as C2 servers. This means that it uses websites that are not known to be malicious as a means of communicating with its command-and-control (C2) center. This can make it difficult for security researchers to identify the C2 servers being used by the malware, as they are not typically flagged as malicious.

In addition to its advanced evasion techniques, GuLoader is also highly customizable, which allows cybercriminals to tailor the malware to their specific needs. This includes the ability to change the appearance of the malware, as well as its behavior and functionality.

Also, GuLoader has also been observed using JavaScript malware strain RATDispenser to drop the malware via a Base64-encoded VBScript dropper. This allows the malware to bypass security measures and gain access to infected systems.

GuLoader has been used in high-profile attacks, including the Ryuk ransomware attack, which targeted government agencies and other large organizations. It has also been used in attacks on healthcare organizations, as well as in attacks targeting individuals and small businesses.

GuLoader is a highly effective and versatile malware that can evade detection and distribute a wide range of malicious payloads. With its exceptional ability to check for anti-analysis at every step of execution, the malware downloader can constantly bypass security checks and avoid being detected by some of the security solutions. Due to its capability to hide without being detected, it poses a significant threat to all levels of enterprises whether it’s small business or a large enterprise.

It is important for organizations to be vigilant in protecting their systems and data from this type of malware. This can be achieved by implementing a combination of various security tools such as Next Generation Firewall (NGFW), Security Information and Event Management (SIEM) and EDR and best security practices at each layer of the organization’s infrastructure.

*IOC for GuLoader

Sources/Articles

​​https://gbhackers.com/guloader-malware-advanced-anti-analysis/

https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/

https://www.scmagazine.com/brief/malware/security-system-bypass-techniques-added-to-guloader-malware-downloader

https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html

About Perimeterwatch

PerimeterWatch gives you total control and management over your data. The rate of change on the internet, mobile, distributed processing and other technologies is- simply staggering. Failing to keep up can doom even a well-established organization, but bringing in these new capabilities without fully effective security procedures and systems can be equally disastrous.

What PerimeterWatch offers is a truly secure IT infrastructure. Whether that means a completely managed IT and security function or co-managing with your in-house people, we provide the security intelligence, the technical expertise and the implementation experience necessary to make sure your solutions solve your business problems – without simply creating new ones.

www.perimeterwatch.com

Read More

Defending against attacks on Azure AD: Goodbye firewall, hello identity protection

Read Time:39 Second

Not too long ago, guarding access to the network was the focal point of defense for security teams. Powerful firewalls ensured that attackers were blocked on the outside while on the inside things might get “squishy,” allowing users fairly free rein within. Those firewalls were the ultimate defense—no one undesirable got access.

Until they did. With the advent of cloud computing, the edge of a network is no longer protected by a firewall. In fact, the network no longer has an edge: in our work-from-anywhere environment in which any data center is now a boundary, we can no longer rely on traditional protection mechanisms. Security has become more about protecting identity rather than the network itself.

To read this article in full, please click here

Read More

php-8.1.16-1.fc36

Read Time:23 Second

FEDORA-2023-d12ff09d38

Packages in this update:

php-8.1.16-1.fc36

Update description:

PHP version 8.1.16 (14 Feb 2023)

Core:

Fixed bug php#81744 (Password_verify() always return true with some hash). (CVE-2023-0567). (Tim Düsterhus)
Fixed bug php#81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568). (Niels Dossche)
Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662) (Jakub Zelenka)

Read More

php-8.1.16-1.fc37

Read Time:23 Second

FEDORA-2023-452714dbc6

Packages in this update:

php-8.1.16-1.fc37

Update description:

PHP version 8.1.16 (14 Feb 2023)

Core:

Fixed bug php#81744 (Password_verify() always return true with some hash). (CVE-2023-0567). (Tim Düsterhus)
Fixed bug php#81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568). (Niels Dossche)
Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662) (Jakub Zelenka)

Read More

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution.

Read Time:1 Minute, 5 Second

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.

Adobe After Effects is a digital visual effects, motion graphics, and compositing application
Adobe Connect is a suite of software for remote training, web conferencing, presentation, and desktop sharing.
Adobe FrameMaker is a document processor designed for writing and editing large or complex documents, including structured documents.
Adobe Bridge is a free digital asset management app.
Adobe Photoshop is a raster graphics editor
Adobe InDesign is a desktop publishing and page layout designing software.
Adobe Premiere Rush is a free mobile and desktop video editing software.
Adobe Animate is a multimedia authoring and computer animation program.
Adobe Substance 3D Stager is a state-of-the-art staging tool to create 3D scenes with real-time 3D visualization and high-quality renders.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights

Read More