December 26, 2022Rabbi Lakshmananreverse engineering

Cybersecurity researchers have uncovered various techniques employed by advanced malware downloaders. grower Bypass security software.

According to CrowdStrike researchers Sarang Sonawane and Donato Onofri, “The new anti-shellcode anti-analysis technique scans entire process memory looking for virtual machine (VM)-related strings, allowing researchers and hostile environment. Said In a technical article published last week.

GuLoader, aka cloud eyeis a Visual Basic Script (VBS) downloader used to distribute remote access Trojans to infected machines. First detected in the wild in 2019.

In November 2021, a JavaScript malware variant called RATDispenser emerged as a vector to drop GuLoader using a Base64-encoded VBScript dropper.

cyber security

A recent GuLoader sample discovered by CrowdStrike shows a three-step process, where VBScript provides the next step to perform anti-analysis checks before injecting shellcode embedded within VBScript into memory. It is designed to

The shellcode not only incorporates the same anti-analysis techniques, but also downloads the final payload of the attacker’s choice from a remote server and executes it on the compromised host.

“The shellcode employs several anti-analysis and anti-debugging tricks at every step of its execution and throws an error message if the shellcode detects a known analysis of debugging mechanisms,” the study said. pointed out.

This includes anti-debugging and anti-disassembly checks to detect the presence of remote debuggers and breakpoints and terminate the shellcode if found. The shellcode also features scanning for virtualization software.

The extra functionality is what cybersecurity firms call a “redundant code injection mechanism” to avoid. NTDLL.dll A hook implemented by an endpoint detection and response (EDR) solution.

NTDLL.dll API hooking is technology Already used Antimalware engine detects and flags suspicious processes on Windows by monitoring APIs known to be abused by attackers.

Simply put, this method uses assembly instructions to call the necessary Windows API functions to allocate memory (i.e. NtAllocate Virtual Memory) to inject arbitrary shellcode into memory. Hollow processing.

Findings from CrowdStrike also emerged as cybersecurity firm Cymulate demonstrated what is known as EDR bypass technology. blind side This makes it possible to execute arbitrary code by creating a “standalone, unhooked process containing only NTDLL” with hardware breakpoints.

“GuLoader remains a dangerous threat, constantly evolving with new ways to evade detection,” the researchers concluded.

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog