Cybersecurity researchers have uncovered various techniques employed by advanced malware downloaders. grower Bypass security software.
According to CrowdStrike researchers Sarang Sonawane and Donato Onofri, “The new anti-shellcode anti-analysis technique scans entire process memory looking for virtual machine (VM)-related strings, allowing researchers and hostile environment. Said In a technical article published last week.
GuLoader, aka cloud eyeis a Visual Basic Script (VBS) downloader used to distribute remote access Trojans to infected machines. First detected in the wild in 2019.
In November 2021, a JavaScript malware variant called RATDispenser emerged as a vector to drop GuLoader using a Base64-encoded VBScript dropper.
A recent GuLoader sample discovered by CrowdStrike shows a three-step process, where VBScript provides the next step to perform anti-analysis checks before injecting shellcode embedded within VBScript into memory. It is designed to
The shellcode not only incorporates the same anti-analysis techniques, but also downloads the final payload of the attacker’s choice from a remote server and executes it on the compromised host.
โThe shellcode employs several anti-analysis and anti-debugging tricks at every step of its execution and throws an error message if the shellcode detects a known analysis of debugging mechanisms,โ the study said. pointed out.
This includes anti-debugging and anti-disassembly checks to detect the presence of remote debuggers and breakpoints and terminate the shellcode if found. The shellcode also features scanning for virtualization software.
The extra functionality is what cybersecurity firms call a “redundant code injection mechanism” to avoid. NTDLL.dll A hook implemented by an endpoint detection and response (EDR) solution.
NTDLL.dll API hooking is technology Already used Antimalware engine detects and flags suspicious processes on Windows by monitoring APIs known to be abused by attackers.
Simply put, this method uses assembly instructions to call the necessary Windows API functions to allocate memory (i.e. NtAllocate Virtual Memory) to inject arbitrary shellcode into memory. Hollow processing.
Findings from CrowdStrike also emerged as cybersecurity firm Cymulate demonstrated what is known as EDR bypass technology. blind side This makes it possible to execute arbitrary code by creating a “standalone, unhooked process containing only NTDLL” with hardware breakpoints.
โGuLoader remains a dangerous threat, constantly evolving with new ways to evade detection,โ the researchers concluded.
