Malware Downloader GuLoader Utilizes New Obfuscation Techniques Against Security Software

Summary

CrowdStrike researchers identified a new version of GuLoader, a malware downloader recently observed using new techniques to evade security detection. This new version uses a three-stage deployment process, with the first stage using a VBS dropper file to drop a packed payload into the registry, which is then opened and executed with a PowerShell script. The second stage performs various anti-analysis functions, such as anti-debug and anti-virtual machine measures. The third stage implements these anti-analysis features and downloads and executes the final malware payload.

GuLoader, also known as CloudEyE, uses vector exception handling to disrupt the normal flow of code execution and thwart debugging and disassembly efforts. Other evasion and anti-analysis techniques include checking for API checkpoints, checking for remote debuggers, and scanning for evidence of a virtual machine running. If any measures are triggered, the shellcode is automatically terminated. GuLoader also uses a technique called process hollowing to create a process, hollow its memory, and inject it with malicious code to further evade detection. GuLoader is used to distribute remote access trojans (RATs), such as the Remcos RAT on infected machines.

Recommendations

The NJCCIC advises network administrators to keep anti-malware software up to date and search for IOCs to monitor threats. Further technical details and IOCs can be found in the CrowdStrike threat analysis report.