CrowdStrike has released a technical report highlighting multiple evasion techniques implemented by an advanced malware downloader called GuLoader.
GuLoader (aka CloudEyE) was first observed in 2019 as a file downloader that was used to distribute remote access trojans (RATs) like AgentTesla, FormBook, Nanocore, NETWIRE and the Parallax RAT. The early versions of GuLoader were distributed via spam email with archived attachments containing the malware.
GuLoader uses a polymorphic shellcode loader to avoid traditional security solutions. The researchers mapped all embedded DJB2 hash values for every API used by the malicious code.
More recent versions of GuLoader analyzed by the researchers implement a new anti-analysis technique designed to detect if the malware is running in a hostile environment like a virtual machine. New variants are also using an updated delivery mechanism where the payload is delivered via a Visual Basic Script (VBS) file, and exhibit a multistage deployment:
-
The first stage involves using a VBS dropper file to drop a second-stage packed payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key within memory.
-
The second stage payload performs all anti-analysis routines, creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process.
-
The third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote server and executes it on the victim’s machine.
CrowdStrike says that GuLoader remains a dangerous, constantly evolving threat, the cybersecurity company also shared Indicators of Compromise related to the malware.
