Experts from CrowdStrike have discovered a new strain of the advanced GuLoader loader.
As it turned out, the authors of malware carried out a decent upgrade and added a wide range of features to bypass security software.
GuLoader, also known as CloudEyE, was first discovered in 2019 and is a Visual Basic Script (VBS) loader that is used to distribute remote access Trojans.
According to experts, the new method of antianalysis is based on scanning the allocated memory of all processes associated with a virtual machine.
The malware uses a three-step process in which VBScript delivers the payload responsible for delivering the second stage and checking the virtual environment, after which the shell code is embedded in memory.
Further, the shell code, in addition to using the same anti-analysis methods, loads the final payload of the attacker's choice from a remote server and executes it on a compromised host.
Moreover, the shell code uses several anti-analysis and anti-debugging techniques at each stage of execution, issuing appropriate error messages if it suddenly detects any known analysis method or debugging mechanism.
In order to avoid the NTDLL.dl traps implemented by EDR system solutions, malware uses, as experts called it, a mechanism for introducing redundant code.
The recercers from Cymulate even demonstrated an EDR bypass technique known as Blindside, which allows you to run arbitrary code using hardware breakpoints to create "a process in which only NTDLL is in an offline, unconnected state."
As the researchers concluded, GuLoader was and remains a dangerous threat that is constantly evolving thanks to new methods of evading detection.