Unit 42 researchers describe a machine learning pipeline that analyzes memory-based artifacts from a hypervisor-based sandbox to detect evasive malware like GuLoader. The article discusses limitations of static and sandbox analysis and demonstrates how memory-resident artifacts can improve detection using ML. #GuLoader #NSIS #FormBook #AdvancedWildFire
Keypoints
- GuLoader is analyzed as a memory-resident, evasive downloader that uses an NSIS crypter and runtime decryption to hide its payload.
- Static analysis and sandbox-based analysis are circumvented by packing, obfuscation, and sandbox evasion techniques.
- The NSIS script extracts and decodes code, builds a shellcode payload, and loads it into memory for execution.
- Memory-artifact based ML detects GuLoader by observing dynamically resolved function pointers, memory page permission changes, and unpacked executables.
- The approach uses an ensemble ML model that combines memory artifacts and execution traces for malware detection.
- The GuLoader sample downloads a final payload from a remote URL, identified as FormBook in the analysis, with associated SHA-256 hashes.
- Key IOCs include specific SHA-256 hashes and a payload URL pointing to a malicious host.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information β The GuLoader malware is encrypted, and it is also delivered through a NSIS installer file that is not ideal for static analysis because the file contents must be unpacked first. βThe GuLoader malware is encrypted, and it is also delivered through a NSIS installer file that is not ideal for static analysis because the file contents must be unpacked first.β
- [T1105] Ingress Tool Transfer β The final payload is downloaded from a remote URL (Payload URL: http://ozd[.]com[.]ar/wp-includes/nHMoYlbGLWls101.qxd). βPayload URL: http://ozd[.]com[.]ar/wp-includes/nHMoYlbGLWls101.qxdβ
- [T1055.012] Dynamic API Resolution β NSIS script allows dynamically calling Windows API functions at runtime. βNSIS gives developers the ability to call any exported function from a Windows DLL, and it also allows developers to save the results directly in NSIS registers/stack. This functionality allows malware authors to dynamically call Windows API functions on runtime and makes static analysis harder.β
- [T1055] Process Injection β Shellcode is loaded and executed in memory via Windows API calls (EnumWindows). βThe decoded functions together read a shellcode from another file from the NSIS archive, and they execute it using the EnumWindows function.β
- [T1497] Virtualization/Sandbox Evasion β The sample includes anti-analysis checks and sandbox evasion, including VM detection. βThe sample canβt be executed in a virtual environment.β
Indicators of Compromise
- [Hash] β cc6860e4ee37795693ac0ffe0516a63b9e29afe9af0bd859796f8ebaac5b6a8c, fa0b6404535c2b3953e2b571608729d15fb78435949037f13f05d1f5c1758173
- [URL] β http://ozd[.]com[.]ar/wp-includes/nHMoYlbGLWls101.qxd
- [Domain] β ozd.com.ar
- [File name] β Malkekvg.Nat, Programmeludviklinger210.Kon
- [Registry Key] β SoftwareMicrosoftWindowsCurrentVersionRunOnce
Read more: https://unit42.paloaltonetworks.com/malware-detection-accuracy/