In a recent discovery by threat hunters, the GuLoader malware has adapted new techniques to complicate analysis, making it a formidable challenge for security assessments.
Elastic Security Labs researcher Daniel Stepanic highlighted the continuous evolution of GuLoader’s obfuscation methods, emphasizing the strain it puts on analysis efforts despite the core functionality remaining relatively unchanged over the years.
GuLoader, initially detected in late 2019, operates as an advanced shellcode-based downloader, distributing various payloads like information stealers while employing intricate anti-analysis tactics to evade conventional security solutions.
Recent open-source findings revealed ongoing enhancements by the threat actors behind GuLoader, bolstering its capabilities to bypass both existing and emerging security features.
Typically disseminated through phishing campaigns, GuLoader relies on tactics like tricking victims into downloading malware via email-delivered ZIP archives or links featuring Visual Basic Script (VBScript) files.
An Israeli cybersecurity firm disclosed in September 2023 that GuLoader now operates under a new guise alongside Remcos, being implicitly advertised as a crypter rendering its payload undetectable by antivirus software.
A recent modification to GuLoader involves refining an anti-analysis technique focused on Vectored Exception Handling (VEH), a method previously elaborated by CrowdStroke and detailed by McAfee Labs and Check Point in 2023. This technique disrupts code execution by generating and handling numerous exceptions, redirecting control flow to dynamically calculated addresses.
GuLoader’s adaptation mirrors the trend of constant updates seen in other malware families, such as DarkGate, a remote access trojan (RAT) operated as malware-as-a-service (MaaS) by RastaFarEye. DarkGate, distributed via phishing emails with links containing VBScript or MSI files, recently underwent significant changes, including enhanced execution chains and revamped features for RDP password theft.
Security researchers from Trellix noted the actor’s agility in making rapid alterations, enabling evasion of detection mechanisms through iterative adjustments and sophisticated evasion methods.
