One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8310448 |
| Date de publication | 2023-02-15 11:00:00 (vue: 2023-02-15 11:07:16) |
| Titre | GuLoader – a highly effective and versatile malware that can evade detection |
| Texte |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
This blog was jointly authored with Arjun Patel.
GuLoader is a malware downloader that is primarily used for distributing other shellcode and malware such as ransomware and banking Trojans. It was first discovered in the wild in late 2019 and has since become a popular choice among cybercriminals due to its effectiveness and ease of use. Researchers at cybersecurity firm CrowdStrike have recently published a technical write-up detailing the various techniques used by GuLoader to avoid detection.
One of the key features of GuLoader is its ability to evade detection by traditional security solutions. It uses several techniques to avoid being detected, including packing and encryption, as well as utilizing legitimate websites and services as command and control (C2) servers. It also employs advanced anti-debugging and anti-analysis techniques, which makes it difficult for security researchers to reverse engineer and analyze its code.
GuLoader is typically spread through phishing campaigns, where victims are tricked into downloading and installing the malware through emails or links containing a Visual Basic script file. It can also be distributed through other means, such as drive-by downloads, where the malware is delivered to a victim's computer through a web browser without the victim's knowledge.
GuLoader utilizes a three-stage process to deliver the final payload to the infected host. During the first stage, the VBScript dropper file gets downloaded into a registry key as a persistence mechanism and delivers a next-stage payload. The second stage payload performs anti-analysis checks before injecting shellcode into memory.
If these checks are successful, the shellcode then downloads the final payload from a remote server and executes it on the compromised host. The shellcode incorporates various anti-analysis and anti-debugging measures, including checks for the presence of a remote debugger and breakpoints, scans for virtualization software, and the use of a "redundant code injection mechanism" to avoid NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions.
*encrypted final payload
NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Windows by monitoring APIs that are known to be abused by threat actors. The method involves using assembly instructions to invoke the necessary Windows API function to allocate memory and inject arbitrary shellcode into that location via process hollowing. GuLoader's "redundant code injection mechanism" is designed to avoid these NTDLL.dll hooks, making it more difficult for EDR solutions to detect and flag the malware.
One of the ways that GuLoader evades detection is through its use of legitimate websites and services such as C2 servers. This means that it uses websites that are not known to be malicious as a means of communicating with its command-and-control (C2) center. This can make it difficult for security researchers to identify the C2 servers being used by the malware, as they are not typically flagged as malicious.
In addition to its advanced evasion techniques, GuLoader is also highly customizable |
| Envoyé | Oui |
| Condensat | https://gbhackers simply the *encrypted *ioc 2019 ability about abused access achieved actors added addition adopt advanced agencies all allocate allows also among analysis analysis/ analyze anti any api apis appearance arbitrary are arjun article assembly at&t attack attacks author authored avoid banking base64 basic become been before behavior being best blog breakpoints browser business businesses but bringing bypass campaigns can can be capabilities capability center change check checks choice code com com/2022/12/guloader com/blog/guloader com/brief/malware/security com/guloader combination command communicating completely compromised computer constantly containing content control crowdstrike customizable cybercriminals cybersecurity data debugger debugging deliver delivered delivers designed detailing detect detected detection difficult disastrous discovered dissection distribute distributed distributing dll does doom downloaded downloader downloading downloads drive drop dropper due during each ease edr effective effectiveness emails employs encoded encryption endorse endpoint engineer engines enterprise enterprises equally established evade evades evasion even event every exceptional executes execution experience necessary expertise failing features file final firewall firm first flag flagged from fully function functionality gain generation gets gives government guloader has have healthcare hide high highly hollowing hooking hooks host house html https://thehackernews https://www identify implementation implemented implementing important includes including incorporates individuals infected information infrastructure inject injecting injection installing instructions intelligence internet invoke involves it’s its javascript jointly keep key knowledge known large late layer legitimate levels links location make makes making malicious malware managed management managing means measures mechanism memory method mobile monitoring more necessary needs new next ngfw not ntdll observed offers one ones organization organization’s organizations other over packing patel payload payloads people performs perimeterwatch persistence phishing popular poses positions post practices presence primarily problems procedures process processes processing profile protecting provided published range ransomware ratdispenser rate recently redundancy/ redundant registry remote researchers response responsibility reveals reverse ryuk scans scmagazine script second secure security server servers services several shellcode siem significant simply creating since small software solely solutions solve some sources/articles specific spread stage staggering step strain successful such sure suspicious system systems tailor targeted targeting technical technique techniques technologies then these threat three through tools total traditional tricked trojans truly type typically use used uses using utilizes utilizing various vbscript versatile victim victims views vigilant virtualization visual ways we provide web websites well what where whether which wide wild windows without write www your |
| Tags | Ransomware Malware Threat |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.