Keypoints
- MrAgent is a hypervisor-targeting binary designed to automate and track ransomware deployment across many hypervisor systems and contacts C2 servers supplied via command-line arguments.
- GuLoader appears frequently on VirusTotal as memory-dump uploads; analysis of these dumps reveals GuLoader shellcode used as a first-stage downloader for payloads like Agent Tesla and Lokibot.
- HemiGate loader samples mimic libvlc.dll to achieve DLL sideloading; all exports are stubbed except libvlc_new, which triggers RC4 decryption of the embedded HemiGate payload.
- Strings in the HemiGate sample indicate probable generation with the AheadLib tool, and AV detection for later HemiGate samples increased over time after initial low coverage.
- IronWind downloader samples have become stealthier versus earlier highly flagged uploads; decrypted strings in new variants suggest added capabilities to evade AV signatures.
- Nextron provides a Sigma rule to detect potential libvlc.dll sideloading by flagging ImageLoaded events ending with ‘libvlc.dll’ outside standard VLC installation paths.
MITRE Techniques
- [T1574.001] DLL Side-Loading – Used to load a malicious payload by imitating a legitimate DLL; detection referenced: (‘Detects potential DLL sideloading of “libvlc.dll”, a DLL that is legitimately used by “VLC.exe”‘)
- [T1574.002] DLL Search Order Hijacking – Abuse of image load/search behavior to execute malicious code via libvlc.dll; observable in rule content: (‘ImageLoaded|endswith: ‘libvlc.dll”)
Indicators of Compromise
- [File Hash] sample upload – 430cbf6d340e3b3ee92a0bca41c349071564a14fd31f810bd1b0702d5df75351 (MrAgent sample uploaded 2024-03-01)
- [File Name] DLL used for sideloading – libvlc.dll (export stubs, primary export ‘libvlc_new’ calls RC4 decrypt routine)
- [Sample Type] memory-dump uploads showing shellcode – GuLoader shellcode recovered from multiple VT memory-dump uploads, and additional direct GuLoader shellcode samples observed
MrAgent samples target hypervisor environments and are built to coordinate ransomware deployment at scale; the binary expects command-line-provided C2 server addresses and was flagged by Nextron’s generic VMware ESX rule. For responders, focus on hypervisor image/process anomalies and network indicators from command-line arguments when available.
GuLoader continues to propagate as a first-stage shellcode downloader, frequently appearing on VirusTotal as memory-dump artifacts uploaded via the VT API. Analysts should extract and inspect memory dumps for GuLoader stubs and follow its download chains to secondary payloads (e.g., Agent Tesla, Lokibot). The persistence of zero-detection uploads underscores the need for memory and behavioral analysis beyond static AV scans.
HemiGate loader samples implement DLL sideloading by presenting as libvlc.dll with stubbed exports; only libvlc_new executes logic to RC4-decrypt an embedded HemiGate payload, suggesting AheadLib was used to generate the loader. To detect such activity, Nextron published a Sigma rule that matches ImageLoaded events ending with ‘libvlc.dll’ while excluding standard VLC install paths (ImageLoaded|endswith: ‘libvlc.dll’ and not starting with default VLC paths). Apply image-load monitoring and validate DLL sources to catch sideloading attempts; similarly, monitor for evolving IronWind downloader variants by extracting decrypted strings and tracking behavioral changes.
Read more: https://www.nextron-systems.com/2024/03/05/tales-of-valhalla-march-2024/