New variant of the shellcode malware GuLoader spotted in the wild


GuLoader malware is a well known shellcode based file less malware which downloads malicious payloads including AgentTesla, NetWire RAT and Ramcos RAT etc. The SonicWall RTDMI is detecting a surge of VBScript files for the past few weeks which downloads and executes GuLoader shellcode on the victim’s machine. The SonicWall Capture Labs Threat Research team observed that the malware was abusing Microsoft OneDrive in old variants,  but recently the malware is using Google Drive to host the shellcode and payloads. GuLoader uses advanced anti virtual machine, anti debug and anti scan techniques and when executed in controlled environment it displays an error window saying “This program cannot be run under virtual environment or debugging software!” However, we noticed that in some of the recent variants, this anti VM check is missing:



The VBScript contains huge numbers of random unreferenced comments in between the useful code:


The VBScript looks more readable after removing the comments, however the obfuscation is still there to make it complex to understand. The obfuscation includes breaking strings into sub strings and using replace methods to bring the actual string. Additionally the malware echoes the sub string on the command prompt and reads the command prompt output to use in the code:


The VBScript runs the PowerShell executable by passing partially obfuscated PowerShell script as an argument:


PowerShell Script

The PowerShell script contains another obfuscated PowerShell script into a variable which is de-obfuscated using the function “Barb9”. The de-obfuscator function takes alternative bytes to get the actual PowerShell script:

I have simplified the obfuscated PowerShell script by replacing the variables with their actual values, to make it more readable. The malware downloads the shellcode from URL h[t][t]ps:// into “%appdata%\Dusinelab.dat”. The malware allocates 0x290 bytes with memory protection PAGE_EXECUTE_READWRITE and  0x496A000 bytes with memory protection PAGE_READWRITE. The malware reads bytes from “%appdata%\Dusinelab.dat” and write initial 656 bytes into memory protection with PAGE_EXECUTE_READWRITE and writes the remaining bytes into memory protection with PAGE_READWRITE into PowerShell executable. The malware now calls the injected 656 bytes and provides the other injected bytes address as argument:



The initial 656 bytes decrypts the GuLoader shellcode using a dword xor operation and jumps to the decrypted shellcode:


The GuLoader downloads malware payload on the victim’s machine. For recent variants, we have observed that AgentTesla and Remcos are the mostly downloaded malware families. Please refer the previous blog for detailed analysis of GuLoader malware.


The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:


Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:




















Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.