CrowdStrike’s analysis reveals GuLoader’s new anti-analysis shellcode, VM-detection, and a redundant code-injection approach that helps ensure execution. The researchers also map all DJB2 hashes for GuLoader’s APIs, providing a complete view of its behavior to strengthen CrowdStrike Falcon’s detection capabilities. #GuLoader #DJB2 #PowerShell #VBScript #Remcos #CrowdStrike #Falcon
Keypoints
- GuLoader is an advanced malware downloader that uses a polymorphic shellcode loader to dodge traditional security solutions.
- New anti-analysis techniques include memory-scanning for VM-related strings to detect hostile environments and patching debugger instructions to evade researchers.
- CrowdStrike maps all DJB2 hash values for GuLoader’s APIs, providing a complete view of its behavior and API interactions.
- The malware employs a multistage deployment: a VBScript dropper writes a registry key, a PowerShell script unpacks and loads the shellcode, and a final stage downloads and runs the last payload.
- Process injection and a redundant injection path are used to ensure code execution, including creating a Windows process and injecting shellcode, with a fallback to inline assembly.
- Final payload delivery leads to dropping Remcos after decrypting and downloading from a remote server.
MITRE Techniques
- [T1059.005] VBScript – VBScript dropper persists by writing to the Registry; “For persistence, this shellcode is then added to the Registry Key (HKEY_CURRENT_USERSOFTWARETYMPANIESI) by the VBScript.”
- [T1059.001] PowerShell – PowerShell loads and executes shellcode; “The PowerShell script adds a Microsoft .NET class to a PowerShell session using Add-Type -typedefinition. It then reads the shellcode from the registry entry created by the VBScript and loads the shellcode into the virtually allocated memory space…”
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence via registry key mentioned in the VBScript step; “For persistence, this shellcode is then added to the Registry Key (HKEY_CURRENT_USERSOFTWARETYMPANIESI) by the VBScript.”
- [T1055] Process Injection – The second stage creates a Windows process and injects the shellcode; “creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process.”
- [T1055.012] Process Hollowing – Details on hollowing-like injection where a new section is created and shellcode mapped into the suspended process; “Process hollowing is a technique of executing arbitrary code in the address space of a separate live process by creating a process in a suspended state then unmapping/hollowing its memory…”
- [T1105] Ingress Tool Transfer – Final payload download from a remote server; “downloading the final payload from a remote server and executes it on the victim’s machine.”
- [T1497] Virtualization/Sandbox Evasion – VM-detection by memory scanning for VMware strings; “memory scanning for VMware-related string checks on every memory page from the entire process memory.”‘
Indicators of Compromise
- [File] GuLoader SHA256 – f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f
- [File] ieinstal.exe – Windows process used for injection during the second-stage payload execution
- [URL] Final payload download URL – https://biropem[.]papuabaratprov[.]go[.]id/bin_fXZOFMVq248[.]bin