"GuLoader Malware Utilizing New Techniques to Evade Security Software"

CrowdStrike researchers have uncovered a vast array of strategies used by the powerful malware downloader GuLoader to circumvent security protection. Researchers Sarang Sonawane and Donato Onofri of CrowdStrike said in a technical write-up that a new shellcode anti-analysis method scans the entire process memory for Virtual Machine (VM)-related strings in an effort to foil researchers and hostile environments. GuLoader, also known as CloudEyE, is a Visual Basic Script (VBS) downloader used to distribute Remcos and other Remote Access Trojans (RATs) on compromised workstations. In 2019, it was first discovered by researchers in the wild. In November 2021, RATDispenser, a JavaScript malware strain, appeared as a conduit for distributing GuLoader using a Base64-encoded VBScript dropper. A recent GuLoader sample discovered by CrowdStrike demonstrates a three-step process in which the VBScript provides a subsequent stage that conducts anti-analysis checks prior to injecting shellcode embedded in the VBScript into memory. In addition to utilizing the same anti-analysis techniques, the shellcode downloads and executes a final payload of the attacker's choosing from a remote server on the compromised system. Researchers noted that the shellcode employs many anti-analysis and anti-debugging techniques at each stage of execution, throwing an error message if it detects any known analysis or debugging tools. This includes anti-debugging and anti-disassembling checks to detect the presence of a remote debugger and breakpoints. If detected, the shellcode is terminated. This article continues to discuss findings regarding the GuLoader malware. 

THN reports "GuLoader Malware Utilizing New Techniques to Evade Security Software"