Danger hunters have unmasked the most recent methods adopted by a malware strain referred to as GuLoader in an work to make evaluation extra tough.
“Whilst GuLoader’s main operation hasn’t changed significantly around the previous several many years, these consistent updates in their obfuscation strategies make examining GuLoader a time-consuming and resource-intensive process,” Elastic Security Labs researcher Daniel Stepanic claimed in a report printed this week.
Initially spotted in late 2019, GuLoader (aka CloudEyE) is an highly developed shellcode-dependent malware downloader which is applied to distribute a wide selection of payloads, this kind of as information stealers, when incorporating a bevy of sophisticated anti-investigation techniques to dodge conventional security answers.
A regular stream of open up-resource reporting into the malware in recent months has unveiled the menace actors behind it have continued to strengthen its potential to bypass present or new security capabilities alongside other executed attributes.
GuLoader is generally distribute via phishing strategies, exactly where victims are tricked into downloading and putting in the malware by means of e-mails bearing ZIP archives or one-way links made up of a Visual Standard Script (VBScript) file.
Upcoming WEBINAR Cracking the Code: Find out How Cyber Attackers Exploit Human Psychology
At any time questioned why social engineering is so powerful? Dive deep into the psychology of cyber attackers in our upcoming webinar.
Sign up for Now
Israeli cybersecurity firm Test Level, in September 2023, revealed that “GuLoader is now marketed under a new name on the exact same platform as Remcos and is implicitly promoted as a crypter that tends to make its payload absolutely undetectable by antiviruses.”
1 of the the latest modifications to the malware is an improvement of an anti-evaluation strategy to start with disclosed by CrowdStroke in December 2022 and which is centered close to its Vectored Exception Handling (VEH) capability.
It really is really worth pointing out that the system was previously in depth by both of those McAfee Labs and Check out Stage in May well 2023, with the former stating that “GuLoader employs the VEH mostly for obfuscating the execution circulation and to slow down the investigation.”
The technique “consists of breaking the usual flow of code execution by deliberately throwing a massive selection of exceptions and dealing with them in a vector exception handler that transfers regulate to a dynamically calculated address,” Check out Issue explained.
GuLoader is considerably from the only malware loved ones to have acquired frequent updates. A different notable instance is DarkGate, a remote access trojan (RAT) that allows attackers to fully compromise target techniques.
Marketed as malware-as-a-support (MaaS) by an actor regarded as RastaFarEye on underground community forums for a month to month cost of $15,000, the malware employs phishing email messages that contains inbound links to distribute the initial an infection vector: a VBScript or Microsoft Software Installer (MSI) file.
Trellix, which analyzed the most up-to-date model of DarkGate (5..19), claimed it “introduces a new execution chain employing DLL facet-loading and increased shellcodes and loaders.” Even more, it comes with a comprehensive rework of the RDP password theft characteristic.
“The risk actor has been actively checking risk experiences to perform quick adjustments therefore evading detections,” security researchers Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll, and Vinoo Thomas claimed.
“Its adaptability, the pace with which it iterates, and the depth of its evasion solutions attest to the sophistication of present day malware threats.”
The progress comes as remote accessibility trojans like Agent Tesla and AsyncRAT have been noticed remaining propagated employing novel email-primarily based an infection chains that leverage steganography and uncommon file styles in an try to bypass antivirus detection actions.
It also follows a report from the HUMAN Satori Menace Intelligence Workforce about how an updated variation of a malware obfuscation engine referred to as ScrubCrypt (aka BatCloak) is remaining employed to produce the RedLine stealer malware.
“The new ScrubCrypt develop was sold to risk actors on a compact handful of dark web marketplaces, like Nulled Discussion board, Cracked Discussion board, and Hack Forums,” the enterprise said.
Located this posting interesting? Adhere to us on Twitter and LinkedIn to go through much more exceptional information we publish.
Some parts of this article are sourced from: