Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software.
“New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings,” CrowdStrike researchers Sarang Sonawane and Donato Onofri said in a technical write-up published last week.
GuLoader, also called CloudEyE, is a Visual Basic Script (VBS) downloader that’s used to distribute remote access trojans such as Remcos on infected machines. It was first detected in the wild in 2019.
Recent GuLoader samples unearthed by CrowdStrike have been found to exhibit a three-stage process wherein the VBScript is designed to deliver a next-stage that performs anti-analysis checks before injecting shellcode embedded within the VBScript into memory.
images from Hacker News