Thursday, June 1, 2023
HomeSECURITYHow cybercriminals bypass antiviruses using Google Drive and GuLoader

How cybercriminals bypass antiviruses using Google Drive and GuLoader


How cybercriminals bypass antiviruses using Google Drive and GuLoader

Despite the development of detection methods, GuLoader operators with the help of the cloud go unnoticed.

Antivirus products are constantly being improved to deal with new threats, prompting malware developers to create new workarounds such as “packaging” and “encryption”. One of these methods is a service GuLoaderwhich allows you to upload encrypted malicious files to a remote server and run them in the memory of the victim’s computer, bypassing anti-virus programs.

Cybersecurity experts from check point note that GuLoader employs many evasive techniques and stands out in that its encrypted files are often stored on Google Drive, allowing attackers to use a secure shellcode-based loader that downloads, decrypts, and executes a malicious file in memory without leaving a trace on the hard drive .

Google tries to block the download of GuLoader encrypted malicious files, but in most cases GuLoader successfully accesses its files on Google Drive.

According to researchers, GuLoader is currently being used to deliver the following malware:

  • formbook;
  • XLloader;
  • Remcos;
  • 404Keylogger;
  • Lokibot;
  • AgentTesla;
  • NanoCore;
  • Netwire.

GuLoader used to be a Visual Basic application that used an encrypted shellcode to load, decrypt and run a malicious file from memory, but now it is based on VBScript and NSIS.

Chain of attack GuLoader

The NSIS and VBS variants of GuLoader use the same shellcode, which contains many anti-analysis techniques, including sandbox traversal and anti-debugging techniques. If earlier GuLoader could be bypassed using a debugger during dynamic analysis, now it has become more difficult due to a technique that interferes with both debugging and static analysis.

Since the end of 2022, the GuLoader shellcode uses a new anti-analysis method. It consists in throwing a lot of exceptions that break the normal flow of code execution. Control is then transferred to the dynamically calculated address using an exception handler.

Hackers use encryption, omit headers, and separate payloads from the downloader, making files invisible to antiviruses. Cybercriminals use Google Drive as storage and bypass its anti-virus protection. Some download links for malicious files persist for a very long time.

Source link


Please enter your comment!
Please enter your name here

Most Popular