Cybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader.
GuLoader malware
GuLoader is a first-stage trojan designed to infect a system and drop a final payload. Typically other trojans or RATs. Once the malware makes its way into the victim’s system, it attempts to establish a remote connection and download a malicious executable.
GuLoader first appeared on the threat landscape in 2019, it was used by threat actors to download multiple remote access trojans (RATs) such as AgentTesla ,Formbook ,Nanocore, NETWIRE and the Parallax RAT.
- The first stage uses a VBS dropper file to drop a second-stage packed payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key within memory.
- The second stage payload performs all anti-analysis routines (described below), creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process.
- The third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote server and executes it on the victim’s machine.
The method involves using assembly instructions to invoke the necessary windows API function to allocate memory (i.e., NtAllocateVirtualMemory) and inject arbitrary shellcode into memory via process hollowing.
IOCS
f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment