The content material of this publication is the only real accountability of the creator. AT&T doesn’t undertake or endorse any of the opinions, positions or info supplied by the creator on this article.

This weblog was co-written with Arjun Patel.

GuLoader is a malware downloader that’s primarily used to distribute different malware and shellcodes, comparable to ransomware and banking trojans. It was first found within the wild in late 2019 and has since grow to be a well-liked alternative amongst cybercriminals attributable to its effectiveness and ease of use. Researchers from cybersecurity agency CrowdStrike have lately revealed a technical writing detailing the assorted strategies utilized by GuLoader to keep away from detection.

Certainly one of GuLoader’s key options is its potential to evade detection from conventional safety options. It makes use of varied strategies to keep away from detection, together with packaging and encryption, in addition to utilizing reliable web sites and providers comparable to command and management (C2) servers. It additionally employs superior anti-debugging and anti-analysis strategies, making it harder for safety researchers to reverse engineer and analyze your code.

GuLoader is normally unfold by way of phishing campaigns, the place victims are tricked into downloading and putting in malware by way of emails or hyperlinks that include a Visible Fundamental script file. It may also be distributed by means of different means, comparable to drive-by downloads, the place malware is delivered to a sufferer’s pc by way of an online browser with out the sufferer’s information.

GuLoader makes use of a three-stage course of to ship the ultimate payload to the contaminated host. Throughout the first stage, the VBScript dropper file is downloaded to a registry key as a persistence mechanism and delivers a payload for the subsequent stage. The second stage payload performs anti-parsing checks earlier than injecting shellcode into reminiscence.

If these checks are profitable, the shellcode downloads the ultimate payload from a distant server and executes it on the compromised host. The shellcode incorporates a number of anti-parsing and anti-debugging measures, together with checking for the presence of a distant debugger and breakpoints, scanning for virtualization software program, and utilizing a “redundant code injection mechanism” to forestall NTDLL.dll hooks applied by endpoint detection and response (EDR) options

* encrypted ultimate payload

Along with its superior evasion strategies, GuLoader can be extremely customizable, permitting cybercriminals to tailor the malware to their particular wants. This consists of the flexibility to alter the looks of the malware, in addition to its conduct and performance.

PerimeterWatch offers you full management and administration over your information. The speed of change throughout the web, cellular gadgets, distributed processing, and different applied sciences is just staggering. Not maintaining can doom even a well-established group, however incorporating these new capabilities with out totally efficient safety methods and procedures will be simply as disastrous.

What PerimeterWatch presents is a very safe IT infrastructure. Whether or not meaning a totally managed IT and safety operate or co-managed along with your inside employees, we offer the safety intelligence, technical experience, and implementation experience wanted to make sure your options remedy your enterprise issues, with out merely creating new ones. .

www.perimeterwatch.com