CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

GuLoader Malware Utilizing New Techniques to Evade Security Software

admin by admin
December 26, 2022
in Information Security


Dec 26, 2022Ravie LakshmananReverse Engineering

Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software.

“New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings,” CrowdStrike researchers Sarang Sonawane and Donato Onofri said in a technical write-up published last week.

GuLoader, also called CloudEyE, is a Visual Basic Script (VBS) downloader that’s used to distribute remote access trojans on infected machines. It was first detected in the wild in 2019.

In November 2021, a JavaScript malware strain dubbed RATDispenser emerged as a conduit for dropping GuLoader by means of a Base64-encoded VBScript dropper.

CyberSecurity

A recent GuLoader sample unearthed by CrowdStrike exhibits a three-stage process wherein the VBScript is designed to deliver a next-stage that performs anti-analysis checks before injecting shellcode embedded within the VBScript into memory.

The shellcode, besides incorporating the same anti-analysis methods, downloads a final payload of the attacker’s choice from a remote server and executes it on the compromised host.

“The shellcode employs several anti-analysis and anti-debugging tricks at every step of execution, throwing an error message if the shellcode detects any known analysis of debugging mechanisms,” the researchers pointed out.

This includes anti-debugging and anti-disassembling checks to detect the presence of a remote debugger and breakpoints, and if found, terminate the shellcode. The shellcode also features scans for virtualization software.

An added capability is what the cybersecurity company calls a “redundant code injection mechanism” to avoid NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions.

NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Windows by monitoring the APIs that are known to be abused by threat actors.

In a nutshell, the method involves using assembly instructions to invoke the necessary windows API function to allocate memory (i.e., NtAllocateVirtualMemory) and inject arbitrary shellcode into memory via process hollowing.

The findings from CrowdStrike also come as cybersecurity firm Cymulate demonstrated an EDR bypass technique known as Blindside that allows for running arbitrary code by using hardware breakpoints to create a “process with only the NTDLL in a stand-alone, unhooked state.”

“GuLoader remains a dangerous threat that’s been constantly evolving with new methods to evade detection,” the researchers concluded.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

A Huge Thanks to My Fantastic 2022 Supporters and Digital Trailblazers

Next Post

Initiateleadershipvaluevirtue ~ Future of CIO

Related Posts

Information Security

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

by admin
February 2, 2023
Information Security

AWS achieves ISO 20000-1:2018 certification for 109 services

by admin
February 2, 2023
Information Security

Everything you need to know

by admin
February 2, 2023
Information Security

Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

by admin
February 1, 2023
Information Security

How to set up ongoing replication from your third-party secrets manager to AWS Secrets Manager

by admin
February 1, 2023
Next Post

Initiateleadershipvaluevirtue ~ Future of CIO

Recommended

Initiatetogoapproach

February 2, 2023

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

February 2, 2023

AWS achieves ISO 20000-1:2018 certification for 109 services

February 2, 2023

Everything you need to know

February 2, 2023

Influentialleadership ~ Future of CIO

February 1, 2023

Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

February 1, 2023

© 2022 CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.