Researchers Unveal GuLoader Malware's Latest Anti-Analysis Techniques
9.12.23  Virus  The Hacker News

Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging.

"While GuLoader's core functionality hasn't changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process," Elastic Security Labs researcher Daniel Stepanic said in a report published this week.

First spotted in late 2019, GuLoader (aka CloudEyE) is an advanced shellcode-based malware downloader that's used to distribute a wide range of payloads, such as information stealers, while incorporating a bevy of sophisticated anti-analysis techniques to dodge traditional security solutions.

A steady stream of open-source reporting into the malware in recent months has revealed the threat actors behind it have continued to improve its ability to bypass existing or new security features alongside other implemented features.

GuLoader is typically spread through phishing campaigns, where victims are tricked into downloading and installing the malware through emails bearing ZIP archives or links containing a Visual Basic Script (VBScript) file.

Israeli cybersecurity company Check Point, in September 2023, revealed that "GuLoader is now sold under a new name on the same platform as Remcos and is implicitly promoted as a crypter that makes its payload fully undetectable by antiviruses."

One of the recent changes to the malware is an improvement of an anti-analysis technique first disclosed by CrowdStroke in December 2022 and which is centered around its Vectored Exception Handling (VEH) capability.

It's worth pointing out that the mechanism was previously detailed by both McAfee Labs and Check Point in May 2023, with the former stating that "GuLoader employs the VEH mainly for obfuscating the execution flow and to slow down the analysis."

The method "consists of breaking the normal flow of code execution by deliberately throwing a large number of exceptions and handling them in a vector exception handler that transfers control to a dynamically calculated address," Check Point said.

GuLoader is far from the only malware family to have received constant updates. Another notable example is DarkGate, a remote access trojan (RAT) that enables attackers to fully compromise victim systems.

Sold as malware-as-a-service (MaaS) by an actor known as RastaFarEye on underground forums for a monthly fee of $15,000, the malware uses phishing emails containing links to distribute the initial infection vector: a VBScript or Microsoft Software Installer (MSI) file.

Trellix, which analyzed the latest version of DarkGate (5.0.19), said it "introduces a new execution chain using DLL side-loading and enhanced shellcodes and loaders." Further, it comes with a complete rework of the RDP password theft feature.

"The threat actor has been actively monitoring threat reports to perform quick changes thus evading detections," security researchers Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll, and Vinoo Thomas said.

"Its adaptability, the speed with which it iterates, and the depth of its evasion methods attest to the sophistication of modern malware threats."

The development comes as remote access trojans like Agent Tesla and AsyncRAT have been observed being propagated using novel email-based infection chains that leverage steganography and uncommon file types in an attempt to bypass antivirus detection measures.


It also follows a report from the HUMAN Satori Threat Intelligence Team about how an updated version of a malware obfuscation engine called ScrubCrypt (aka BatCloak) is being used to deliver the RedLine stealer malware.

"The new ScrubCrypt build was sold to threat actors on a small handful of dark web marketplaces, including Nulled Forum, Cracked Forum, and Hack Forums," the company said.