Dec 26 2022

GuLoader implements new evasion techniques

Category: Cyber Threats,Security vulnerabilitiesDISC @ 1:08 pm

Cybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader.

CrowdStrike researchers d a detailed multiple evasion techniques implemented by an advanced malware downloader called GuLoader (aka CloudEyE).

GuLoader uses a polymorphic shellcode loader to avoid traditional security solutions, the experts mapped all embedded DJB2 hash values for every API used by the malicious code.

The malware uses an anti-analysis technique to avoid execution in virtualized environments.

“In dissecting GuLoader’s shellcode, CrowdStrike revealed a new anti-analysis technique meant to detect if the malware is running in a hostile environment by scanning the entire process memory for any Virtual Machine (VM)-related strings.” reads the analysis published by CrowdStrike.

“New redundant code injection mechanism means to ensure code execution by using  inline assembly to bypass user mode hooks from security solutions.”

GuLoader first appeared on the threat landscape in 2019, it was used by threat actors to download multiple remote access trojans (RATs) such as AgentTeslaFormBookNanocore, NETWIRE and the Parallax RAT.

Early versions of GuLoader were distributed via spam messages using attachments containing the malicious executable. Recent variants were delivered via a Visual Basic Script (VBS) file.

“GuLoader also started employing advanced anti-analysis techniques to evade detection, such as anti-debug, anti-sandbox, anti-VM and anti-detection to make analysis difficult.” reads the analysis.

A recent GuLoader variant analyzed by the experts exhibits a multistage deployment:

  • The first stage uses a VBS dropper file to drop a second-stage packed payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key within memory. 
  • The second stage payload performs all anti-analysis routines (described below), creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process.
  • The third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote server and executes it on the victim’s machine.

The malware implements anti-debugging and anti-disassembling checks to detect the presence of breakpoints used for the analysis of code.

GuLoader

The researchers also noticed the use of a redundant code injection mechanism to avoid NTDLL.dll hooks used by antivirus and EDR solutions to detect malicious activities.

“It then maps that section via NtMapViewofSection on the suspended process.” continues the analysis. “If this injection technique fails, it uses the following redundancy method:

a. NtAllocateVirtualMemory by invoking the inline assembly instructions (without calling ntdll.dll,  to bypass AV/EDR User Mode hooks) of that function, using the following assembly stub:

mov eax,18                           
mov edx,ntdll.77178850       
call edx                           
ret 18  

It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address. It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address.”

Experts pointed out that GuLoader remains a dangerous threat that constantly evolves, they also shared Indicators of Compromise for the latest variant of the downloader.

Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software

Metasploit Penetration Testing Cookbook – Third Edition: Evade antiviruses, bypass firewalls, and exploit complex environments with the most widely used penetration testing framework

Infosec books | InfoSec tools | InfoSec services

Tags: Antivirus Bypass, evasion techniques, Metasploit


Jul 20 2022

The past, present and future of Metasploit

Category: Security ToolsDISC @ 9:19 am

Metasploit is the most used penetration testing framework. In this Help Net Security video, Spencer McIntyre, Lead Security Researcher at Rapid7, talks about how Metasploit enables defenders to always stay one step (or two) ahead of the game, and offers a glimpse into the future.

McIntyre is a lead security researcher at Rapid7, where he manages the Metasploit Framework’s dedicated research and development team. He has been contributing to Metasploit since 2010, a committer since 2014, and a core team member at Rapid7 since 2019.

Metasploit
#METASPLOIT: Utilize the Most Frequently Used Penetration Testing Framework

#DISCInfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: Metasploit