Dec 09, 2023NewsroomMalware / Cyberattack

Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging.

“While GuLoader’s core functionality hasn’t changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process,” Elastic Security Labs researcher Daniel Stepanic said in a report published this week.

First spotted in late 2019, GuLoader (aka CloudEyE) is an advanced shellcode-based malware downloader that’s used to distribute a wide range of payloads, such as information stealers, while incorporating a bevy of sophisticated anti-analysis techniques to dodge traditional security solutions.

A steady stream of open-source reporting into the malware in recent months has revealed the threat actors behind it have continued to improve its ability to bypass existing or new security features alongside other implemented features.

GuLoader is typically spread through phishing campaigns, where victims are tricked into downloading and installing the malware through emails bearing ZIP archives or links containing a Visual Basic Script (VBScript) file.

Israeli cybersecurity company Check Point, in September 2023, revealed that “GuLoader is now sold under a new name on the same platform as Remcos and is implicitly promoted as a crypter that makes its payload fully undetectable by antiviruses.”

One of the recent changes to the malware is an improvement of an anti-analysis technique first disclosed by CrowdStroke in December 2022 and which is centered around its Vectored Exception Handling (VEH) capability.

It’s worth pointing out that the mechanism was previously detailed by both McAfee Labs and Check Point in May 2023, with the former stating that “GuLoader employs the VEH mainly for obfuscating the execution flow and to slow down the analysis.”

The method “consists of breaking the…