Threat Research

Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer

Securonix

Malware configurations are a critical target for analysis, and this article explores how GuLoader and RedLine Stealer embed and protect their configuration data. It also covers the Python-based extractors that recover these configurations from memory dumps, and the obfuscation and anti-analysis techniques used to thwart static analysis. #GuLoader #RedLineStealer #VirusBulletin2023 #Unit42 #CiphertextSplitting #ControlFlowObfuscation #AntiAnalysis

Keypoints

  • The article explains how malware configurations can reveal attacker intent and how researchers extract them.
  • Researchers developed Python-based extractors to scan and retrieve configuration data from memory dumps associated with samples.
  • GuLoader’s obfuscation evolved to ciphertext splitting and control flow obfuscation, complicating static configuration extraction.
  • GuLoader employs anti-analysis techniques designed to trigger exceptions to hinder debugging and analysis.
  • RedLine Stealer’s configuration is encrypted within the sample and decrypted using a Python routine, with analysis of .NET MSIL tokens to locate strings.
  • The findings aim to improve detection, analysis, and countermeasures, and emphasize collaboration with CTA for rapid protections.
  • SHA256 hashes of the analyzed samples are provided as IOCs for GuLoader and RedLine Stealer.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – GuLoader’s ciphertext splitting and control flow obfuscation are used to protect configuration data. ‘Ciphertext has to be decoded in blocks from a function before it can be used.’
  • [T1005] Data from Local System – The article describes extracting internal malware configurations from memory dumps using Python extractors. ‘These extractors, written in Python, are designed to scan and extract configuration data from memory dumps associated with specific malware samples.’
  • [T1562.001] Impair Defenses – Anti-analysis instructions are designed to trigger EXCEPTION_BREAKPOINT, EXCEPTION_ACCESS_VIOLATION and EXCEPTION_SINGLE_STEP to hinder analysis. ‘anti-analysis instructions… triggered EXCEPTION_ACCESS_VIOLATION and EXCEPTION_SINGLE_STEP’

Indicators of Compromise

  • [SHA256 Hash] GuLoader Sample – 32ea41ff050f09d0b92967588a131e0a170cb46baf7ee58d03277d09336f89d9
  • [SHA256 Hash] RedLine Stealer Sample – a4cf69f849e9ea0ab4eba1cdc1ef2a973591bc7bb55901fdbceb412fb1147ef9

Read more: https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/#post-131796-_v8176g40kstn

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint