GuLoader is a cloud-delivered, shellcode-based downloader used to deliver a variety of malware, frequently hosted on Google Drive. The article details its ongoing development, sophisticated anti-analysis techniques, and in-memory execution that avoids writing decrypted payloads to disk. #GuLoader #Remcos #Formbook #XLoader #404Keylogger #Lokibot #AgentTesla #NanoCore #NetWire
Keypoints
- GuLoader is a shellcode-based downloader that has been used to deliver a wide range of high-profile malware.
- Active for more than three years and continually developed, with new anti-analysis techniques that complicate analysis; new samples often show zero detections on VirusTotal.
- The payload is fully encrypted, including PE headers, enabling long-term cloud hosting and evading antivirus protections.
- Two main variants exist: a VBScript-based variant and an NSIS installer variant; the VBScript variant stores the shellcode on a remote server.
- The GuLoader shellcode employs extensive anti-analysis and anti-debugging techniques, including a novel vector exception handler and use of int3-breakpoint tricks to thwart debugging.
- GuLoader has been observed distributing malware such as Formbook, XLoader, Remcos, 404Keylogger, Lokibot, AgentTesla, NanoCore, and NetWire.
MITRE Techniques
- [T1105] Ingress Tool Transfer – GuLoader downloads encrypted payloads from remote hosts (often Google Drive) to install malware. Quote: “The encrypted payload is uploaded to a remote server… the GuLoader shellcode that downloads the payload from a remote server”.
- [T1027] Obfuscated/Compressed Files and Information – The loader uses heavy obfuscation and encryption to resist analysis. Quote: “the VBScript variant stores the shellcode on a remote server” and “The VBScript itself contains only a small obfuscated PowerShell script and a lot of junk code.”
- [T1059.001] Command and Scripting Interpreter: PowerShell – The VBScript variant invokes PowerShell to execute the collected script. Quote: “The VBScript contains only a small obfuscated PowerShell script…”
- [T1059.005] Command and Scripting Interpreter: VBScript – The VBScript-based variant relies on VBScript to initiate the download and execution chain. Quote: “VBScript variant stores the shellcode on a remote server.”
- [T1055] Process Injection – GuLoader decrypts the payload and runs it in memory, avoiding writes to disk. Quote: “decrypts and runs it in memory without dropping the decrypted data to the hard drive.”
- [T1562.001] Impair Defenses – The loader employs anti-analysis and sandbox evasion techniques, including a novel vector exception handler. Quote: “a new anti-analysis technique… breaking the normal flow of code execution by deliberately throwing a large number of exceptions and handling them in a vector exception handler that transfers control to a dynamically calculated address.”
Indicators of Compromise
- [MD5] GuLoader VBScript – 9623c946671c6ec7a30b7c45125d5d48, 40b9ca22013d02303d49d8f922ac2739, and 5 more hashes
- [MD5] GuLoader shellcode (base64) – 141da1d174041a32cc6a234d80d0b850
- [URL] ITW URL – https://drive.google.com/uc?export=download&id=1BZ2BJVzqOMDwarpjiTzKEiwa42W1Dj9q
- [URL] ITW URL – https://drive.google.com/uc?export=download&id=1soTWv6y3rkBBbmMcBMOwovCqXxU4UQRB
Read more: https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/