GuLoader Malware Utilizing New Techniques to Evade Security Software

Home/Compromised, Exploitation, hackers, Internet Security, IOC's, malicious cyber actors, Malware, Security Advisory, Security Update, Tips/GuLoader Malware Utilizing New Techniques to Evade Security Software

GuLoader Malware Utilizing New Techniques to Evade Security Software

Cybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader.

 GuLoader malware

GuLoader  is a first-stage trojan designed to infect a system and drop a final payload. Typically other trojans or RATs. Once the malware makes its way into the victim’s system, it attempts to establish a remote connection and download a malicious executable.

GuLoader first appeared on the threat landscape in 2019, it was used by threat actors to download multiple remote access trojans (RATs) such as AgentTesla ,Formbook ,Nanocore, NETWIRE and the Parallax RAT.

  • The first stage uses a VBS dropper file to drop a second-stage packed payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key within memory. 
  • The second stage payload performs all anti-analysis routines (described below), creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process.
  • The third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote server and executes it on the victim’s machine.

The method involves using assembly instructions to invoke the necessary windows API function to allocate memory (i.e., NtAllocateVirtualMemory) and inject arbitrary shellcode into memory via process hollowing.



Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!