Researchers Reveal Latest GuLoader Malware Anti-Analysis Techniques

December 09, 2023NewsroomMalware / Cyberattack

Methods of Anti-Analysis

Threat hunters have revealed the latest tricks adopted by a type of malware called GuLoader in an effort to make the analysis more challenging.

“While GuLoader’s core functionality hasn’t changed much over the past few years, these constant updates to their obfuscation methods make analyzing GuLoader a process that takes – wastes time and resources,” Elastic Security Labs researcher Daniel Stepanic SAYS in a report published this week.

First spotted in late 2019, GuLoader (aka CloudEyE) is an advanced shellcode-based malware downloader used to distribute a wide range of payloads, such as information stealers, while attaching a set of sophisticated anti-analysis methods to avoid traditional security solutions.

A steady stream of open-source reporting to malware in recent months revealed that the threat actors behind it continue to improve its ability to bypass existing or new security features with other implemented features.

GuLoader is usually spread through phishing campaigns, where victims are tricked into downloading and installing malware via emails containing ZIP archives or links containing a Visual Basic Script (VBScript) file.


Cracking the Code: Learn How Cyber ​​Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join now

Israeli cybersecurity company Check Point, in September 2023, revealed that “GuLoader is now sold under a new name on the same platform Remcos and is vaguely promoted as a crypter that makes its payload undetectable by antiviruses.”

One of the recent changes in the malware is the improvement of an anti-analysis technique that was first disclosed by CrowdStroke in December 2022 and which is centered on Vectored Exception Handling (Veh) capability.

It is worth pointing out that the mechanism was previously detailed in both McAfee Labs and Check Point in May 2023, with the former stating that “GuLoader uses VEH primarily for obfuscating the execution flow and slowing down analysis.”

The method “consists of breaking the normal flow of code execution by intentionally throwing multiple exceptions and handling them with an exception vector handler that transfers control to a dynamically calculated address,” Check said. Point.

GuLoader is far from the only malware family that receives regular updates. Another notable example is DarkGate, a remote access trojan (RAT) that enables attackers to completely compromise victim systems.

Sold as malware-as-a-service (MaaS) by an actor known as RastaFarEye on underground forums for a monthly fee of $15,000, the malware uses phishing emails with links to distribute the initial infection vector: a VBScript or Microsoft Software Installer (MSI). ) file.

Trellix, which analyzed the latest version of DarkGate (5.0.19), said it “introduces a new execution chain using DLL side-loading and improved shellcodes and loaders.” In addition, it has a complete rework of the RDP password theft feature.

“The threat actor actively monitors threat reports to make quick changes to avoid detections,” security researchers Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll, and Vinoo Thomas SAYS.


“Its adaptability, its speed of recovery, and the depth of its prevention methods prove the superiority of modern malware threats.”

The improvement comes as remote access trojans Agent Tesla and AsyncRAT It has been observed to be spread using new email-based infection chains that use steganography and unusual file types in an attempt to bypass antivirus detection measures.

Methods of Anti-Analysis

It also follows a report from the HUMAN Satori Threat Intelligence Team about how an updated version of a malware obfuscation engine called ScrubCrypt (aka BatCloak) was used to deliver the RedLine stealer malware.

“The new build of ScrubCrypt is being sold by threat actors on a small number of dark web marketplaces, including Nulled Forum, Cracked Forum, and Hack Forums,” the company said. SAYS.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment