Security system bypass techniques added to GuLoader malware downloader

Advanced malware downloader GuLoader, also known as CloudEyE, was discovered by CrowdStrike researchers to be leveraging new techniques for bypassing security software, according to The Hacker News. While GuLoader was initially reported to be deployed using the RATDispenser JavaScript malware strain, CrowdStrike researchers found that a recent GuLoader sample features a three-stage process that facilitates a next-stage loader with anti-analysis checks prior to shellcode injection. Such a shellcode also has the same anti-analysis techniques and enables final payload download and execution, the report showed. "The shellcode employs several anti-analysis and anti-debugging tricks at every step of execution, throwing an error message if the shellcode detects any known analysis of debugging mechanisms," said researchers. GuLoader has also gained a "redundant code injection mechanism" to avert endpoint detection and response solutions' NTDLL.dll hooks. "GuLoader remains a dangerous threat that's been constantly evolving with new methods to evade detection," researchers added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.