Cybersecurity researchers have uncovered various techniques employed by advanced malware downloaders. grower Bypass security software.
In a technical article published last week, CrowdStrike researchers Sarang Sonawane and Donato Onofri wrote, “A new anti-shellcode anti-analysis technique scans entire process memory looking for virtual machine (VM)-related strings. By doing so, they attempt to interfere with researchers and hostile environments.
GuLoader, also known as CloudEyE, is a Visual Basic Script (VBS) downloader used to distribute remote access Trojans such as Remcos to infected machines. First detected in the wild in 2019.
In November 2021, a JavaScript malware variant called RATDispenser emerged as a vector to drop GuLoader using a Base64-encoded VBScript dropper.
A GuLoader sample recently discovered by CrowdStrike was found to exhibit a three-step process. VBScript is designed to provide the next stage of performing anti-analysis checks before injecting shellcode embedded within VBScript into memory.
The shellcode not only incorporates the same anti-analysis techniques, but also downloads the final payload of the attacker’s choice from a remote server and executes it on the compromised host.
“The shellcode employs several anti-analysis and anti-debugging tricks at every step of execution and throws an error message if the shellcode detects a known analysis of debugging mechanisms,” the study said. pointed out.
This includes anti-debugging and anti-disassembly checks to detect the presence of remote debuggers and breakpoints and terminate the shellcode if found. The shellcode also features scanning for virtualization software.
The additional functionality is what cybersecurity firms call a “redundant code injection mechanism” that circumvents NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions.
The NTDLL.dll API hook is a technique used by antimalware engines to detect and flag suspicious processes on Windows by monitoring APIs known to be abused by attackers.
Simply put, this method uses assembly instructions to call the required Windows API functions to allocate memory (i.e. NtAllocateVirtualMemory) and inject arbitrary shellcode in its place via process hollowing.
CrowdStrike’s findings show that cybersecurity firm Cymulate can execute arbitrary code by using hardware breakpoints to create a “standalone, unhooked process containing only NTDLL” as Blinside. It also came from demonstrating known EDR bypass technology.
“GuLoader remains a dangerous threat, constantly evolving with new methods to evade detection,” the researchers conclude.
