3-step infection process and advanced EDR bypass features.
CrowdStrike cybersecurity researchers have identified a wide range of techniques used by the advanced malware loader GuLoader to bypass security tools.
GuLoader (CloudEyE) is a VBS (Visual Basic Script, VBS) loader that is used to distribute RAT Trojans such as Remcos. It was first discovered in 2019.
The discovered sample of GuLoader demonstrates a three-stage infection process:
First stage: The VBS dropper places the packed second stage payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from an in-memory registry key.
Second stage: The second stage payload performs antiparsing routines, creates a Windows process (eg ieinstal.exe) and injects the same shellcode into the new process.
The third stage: all anti-analysis techniques are re-implemented, the final payload is loaded from a remote server and executed on the victim's machine.
The malware implements anti-debugging and anti-disassembly checks to detect the presence of breakpoints used for code analysis. The experts also stated that an additional feature of GuLoader is a "redundant code injection mechanism" to avoid interception of the NTDLL.dll component. NTDLL.dll API interception is a technique used by anti-malware mechanisms to detect and flag suspicious processes in Windows by monitoring malicious APIs.
The researchers concluded that GuLoader remains a dangerous threat that is constantly evolving thanks to new methods of evading detection.