[]()

Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called **GuLoader** to evade security software.

“New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings,” CrowdStrike researchers Sarang Sonawane and Donato Onofri [said]() in a technical write-up published last week.

GuLoader, also called [CloudEyE](), is a Visual Basic Script (VBS) downloader that’s used to distribute remote access trojans on infected machines. It was first detected in the wild in 2019.

In November 2021, a JavaScript malware strain dubbed RATDispenser [emerged]() as a conduit for dropping GuLoader by means of a Base64-encoded VBScript dropper.

A recent GuLoader sample unearthed by CrowdStrike exhibits a three-stage process wherein the VBScript is designed to deliver a next-stage that performs anti-analysis checks before injecting shellcode embedded within the VBScript into memory.

The shellcode, besides incorporating the same anti-analysis methods, downloads a final payload of the attacker’s choice from a remote server and executes it on the compromised host.

“The shellcode employs several anti-analysis and anti-debugging tricks at every step of execution, throwing an error message if the shellcode detects any known analysis of debugging mechanisms,” the researchers pointed out.

This includes anti-debugging and anti-disassembling checks to detect the presence of a remote debugger and breakpoints, and if found, terminate the shellcode. The shellcode also features scans for virtualization software.

An added capability is what the cybersecurity company calls a “redundant code injection mechanism” to avoid [NTDLL.dll]() hooks implemented by endpoint detection and response (EDR) solutions.

NTDLL.dll API [hooking]() is a [technique]() [used]() by anti-malware engines to detect and flag suspicious processes on Windows by monitoring the APIs that are known to be abused by threat actors.

In a nutshell, the method involves using assembly instructions to invoke the necessary windows API function to allocate memory (i.e., [NtAllocateVirtualMemory]()) and inject arbitrary shellcode into memory via [process hollowing]().

The findings from CrowdStrike also come as cybersecurity firm Cymulate demonstrated an EDR bypass technique known as [Blindside]() that allows for running arbitrary code by using hardware breakpoints to create a “process with only the NTDLL in a stand-alone, unhooked state.”

“GuLoader remains a dangerous threat that’s been constantly evolving with new methods to evade detection,” the researchers concluded.

Found this article interesting? Follow us on [Twitter __]() and [LinkedIn]() to read more exclusive content we post.Read More