• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
guloader malware utilizing new techniques to evade security software

GuLoader Malware Utilizing New Techniques to Evade Security Software

You are here: Home / General Cyber Security News / GuLoader Malware Utilizing New Techniques to Evade Security Software
December 26, 2022

Cybersecurity researchers have uncovered a wide selection of approaches adopted by an highly developed malware downloader called GuLoader to evade security software.

“New shellcode anti-analysis system attempts to thwart researchers and hostile environments by scanning full system memory for any virtual equipment (VM)-associated strings,” CrowdStrike scientists Sarang Sonawane and Donato Onofri mentioned in a technological create-up printed final week.

GuLoader, also called CloudEyE, is a Visual Basic Script (VBS) downloader which is used to distribute remote access trojans on contaminated devices. It was initial detected in the wild in 2019.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


In November 2021, a JavaScript malware strain dubbed RATDispenser emerged as a conduit for dropping GuLoader by means of a Base64-encoded VBScript dropper.

CyberSecurity

A current GuLoader sample unearthed by CrowdStrike exhibits a 3-stage course of action whereby the VBScript is intended to produce a next-stage that performs anti-investigation checks before injecting shellcode embedded within just the VBScript into memory.

The shellcode, moreover incorporating the very same anti-examination approaches, downloads a remaining payload of the attacker’s alternative from a remote server and executes it on the compromised host.

“The shellcode employs quite a few anti-analysis and anti-debugging tricks at each individual step of execution, throwing an error information if the shellcode detects any identified investigation of debugging mechanisms,” the scientists pointed out.

This involves anti-debugging and anti-disassembling checks to detect the presence of a remote debugger and breakpoints, and if observed, terminate the shellcode. The shellcode also features scans for virtualization software.

An extra ability is what the cybersecurity corporation phone calls a “redundant code injection mechanism” to stay clear of NTDLL.dll hooks applied by endpoint detection and response (EDR) answers.

NTDLL.dll API hooking is a approach applied by anti-malware engines to detect and flag suspicious procedures on Windows by checking the APIs that are known to be abused by menace actors.

In a nutshell, the approach includes utilizing assembly directions to invoke the essential windows API perform to allocate memory (i.e., NtAllocateVirtualMemory) and inject arbitrary shellcode into memory by way of procedure hollowing.

The conclusions from CrowdStrike also arrive as cybersecurity firm Cymulate shown an EDR bypass method recognized as Blindside that will allow for running arbitrary code by working with components breakpoints to generate a “approach with only the NTDLL in a stand-by yourself, unhooked condition.”

“GuLoader continues to be a dangerous threat that is been continually evolving with new methods to evade detection,” the scientists concluded.

Found this report fascinating? Abide by us on Twitter  and LinkedIn to read additional exceptional articles we publish.


Some parts of this article are sourced from:
thehackernews.com

Previous Post: «2022 top five immediate threats in geopolitical context 2022 Top Five Immediate Threats in Geopolitical Context
Next Post: Facebook to Pay $725 Million to settle Lawsuit Over Cambridge Analytica Data Leak facebook to pay $725 million to settle lawsuit over cambridge»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia
  • Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats
  • Chinese Hackers Using SugarGh0st RAT to Target South Korea and Uzbekistan
  • Discover How Gcore Thwarted Powerful 1.1Tbps and 1.6Tbps DDoS Attacks
  • WhatsApp’s New Secret Code Feature Lets Users Protect Private Chats with Password
  • U.S. Treasury Sanctions North Korean Kimsuky Hackers and 8 Foreign Agents
  • Zyxel Releases Patches to Fix 15 Flaws in NAS, Firewall, and AP Devices
  • Zero-Day Alert: Apple Rolls Out iOS, macOS, and Safari Patches for 2 Actively Exploited Flaws
  • Google Unveils RETVec – Gmail’s New Defense Against Spam and Malicious Emails
  • North Korea’s Lazarus Group Rakes in $3 Billion from Cryptocurrency Hacks

Copyright © TheCyberSecurity.News, All Rights Reserved.