Infection Cycle:

This so called better version of ChatGPT is hosted on a website that promises the download of its AI tool which outperforms and is more advanced than ChatGPT.

The website even links to the promotional Youtube video of the legitimate ChatGPT-4 from the original developer, OpenAI.

The user gets a password- protected RAR archive from the download link on this malicious website. This password is conveniently provided on the website and upon execution runs a Microsoft software installer file (msi).

The rar archive and the msi file use the following file names:

• ChatGPT4_V2_3.3_Setup.rar
• ChatGPT4 V2 3.3 Setup.msi

It opens a popup box that will guide the user to a seemingly legitimate program installation.

It drops the following files in the program files directory:

Upon completed installation, it opens the chrome browser to OpenAI’s real website which will lead  the victim to believe that the real ChatGPT from the original developer was installed.

But silently, it spawned the command prompt to run the batch file named gpt4.bat which started the Chrome browser and loaded a browser extension named “dmkamcknogkgcdfhhbddcghachkejeapgpt4.”

To hide its real intent and to make it sound benign, this malicious extension is named “Google Translate.”

After careful examination of the original file that was installed as a browser extension we found that it was an obfuscated javascript file whose primary function is to steal facebook cookies presumably to use stolen credentials to further this online scam.

SonicWall Capture Labs provides protection against this threat via the following signatures:

• GAV: Fake.GPT (Trojan)
• GAV: Fakechrome.EXT (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

SonicWall Capture Labs Research team recently observed a new variant of GuLoader (a.k.a Cloudeye). GuLoader is a shellcode-based downloader, known for its numerous anti-analysis techniques and control flow obfuscation. In latest variant of GuLoader it introduces new ways to raise exceptions that hamper complete analysis process and its execution under controlled environment.

In this blog post, we will discuss

• Unpacking of GuLoader’s shellcodes.
• Understanding a new anti-debug technique deployed by GuLoader.
• Deep dive into GuLoader’s custom Vectored Exception Handler.
• Writing an IDAPython script to deobfuscate the control flow of shellcode and to make GuLoader’s analysis easy and fast.

INTRODUCTION

GuLoader is an advanced downloader first discovered in 2019 and since then it kept evolving, adding new anti-debugging techniques with its every new variant. It downloads malicious payload including AgentTesla, Azorult and Ramcos RAT etc. Currently GuLoader is spreading through malspam campaign and packed using NSIS installer.

UNPACKING GULOADER’S SHELLCODE

GuLoader’s shellcode is executed after three layers.

Layer 1:

Recent variant of GuLoader is spreading as NSIS Installer consisting of NSIS script, DLL plugin and encrypted shellcode’s file. We need NSIS variant of 7-zip to extract the NSIS script, as typical installer of 7-zip is unable to extract the NSIS script.

Fig 1. Extracted files from NSIS installer.

File “Hangarer.Man” contains shellcode of Layer 2 and an encrypted shellcode of Layer 3 which is main shellcode of GuLoader.

System.dll is DLL file which exports multiple functions. An Exported function named as “Call” is called by NSIS script. This function is responsible to allocate and execute Layer 2 shellcode.

Fig 2. NSIS script calling Exported function Call.

Call function allocates memory space and copies content of file Hangarer.Man from offset 0x409 till last byte. It then calls CallWindowProcW API. First parameter of CallWindowProcW is lpPrevWndFunc. lpPrevWndFunc is callback function, which is set to address of allocated memory space, which results in indirect execution of the Layer 2’s shellcode.

Layer 2:

Malware immediately decrypts the third layer which located at offset 0x1c9 in layer 2 and starts its execution.

Fig 3. Decryption of layer 3.

Layer 3:

It is the final GuLoader shellcode. This shellcode has complex obfuscation, consisting of junk code, indirect function calls, dynamic API resolution, obfuscated arithmetic value calculations, using stack to decrypt strings, fake instructions, anti-debug, anti-vm, anti-analysis, anti-dump, anti-API hook, anti-emulation techniques.

• During analysis of this variant, we have identified a significant enhancement in GuLoader’s one of most effective anti-debug technique that it’s custom Vectored Exception Handler.
• Malware raises exceptions by executing cleverly crafted series of instructions. Also it uses same instructions multiple times in shellcode to make it hard for reverser to perform static and dynamic analysis and to consume lot of time.
• Ultimate goal of GuLoader for using this anti-debug technique is to achieve runtime control flow obfuscation.

GuLoader incorporates various evasions techniques. Mentioning them below in order in which they are get executed.

• Scan the virtual memory for the strings related to analysis tools.
• Uses Heaven Gate technique to redirect it’s execution under x64 OS.
• Check QEMU emulator related strings.
• Patch DbgBreakPoint and DbgUiRemoteBreakin API used by debuggers.
• Uses EnumWindows API to enumerates windows.
• Uses NtSetInformationThread API with ThreadHideDebugger(0x11).
• Uses EnumDeviceDrivers and GetDeviceDriverBaseNameA APIs.
• Uses MsiEnumProductsA and MsiGetProductInfoA APIs.
• Uses OpenSCManagerA and EnumServicesStatusA APIs.
• Use NtQueryInformationProcess API with DebugPort(0x7).

An Overview of the Payload’s Execution Sequence

• Create suspended child process of itself.
• In newly created process, it creates a section using genuine file to avoid AVs suspicious scanning. In this case it was using mshtml.dll.
• Injects complete main shellcode in child process.
• Repeats executing the mentioned evasion techniques one more time.
• After successful bypass , it decrypts the c2 URL and download encrypted payload from c2.
• Generate the payload decryption key. In analyzed sample, key length was 0x303 bytes.
• GuLoader allocates approximately 60MB of memory space for the payload of size few KBs. It decrypts an encrypted payload, use process hollowing to inject decrypted payload into child process and resolves its Import Address Table.
• Lastly, it starts payload execution using the ZwCreateThreadEx API.

Fig 4. Snippet of Payload decryption function.

All of the above-mentioned evasion techniques and payload execution sequences are already explained in detail in SonicWall Capture Labs Research team’s blog.

NEW ENHANCED ANTI-DEBUG TECHNIQUE

In the below section we will discuss

• Exception types and implementation.
• Decoding Vectored Exception Handler function.
• Writing IDAPython script to restore deobfuscate control flow.

EXCEPTION TYPES & IMPLEMENTATION

This variant of GuLoader has added two new additional exceptions EXCEPTION_ACCESS_VIOLATION & EXCEPTION_SINGLE_STEP compared to last variant it has only one exception EXCEPTION_BREAKPOINT exception. We will discuss each exception and understand its pattern to write a script.

EXCEPTION_ACCESS_VIOLATION (code 0xC0000005)

When malware intentionally tries to write to an inaccessible memory address, exception EXCEPTION_ACCESS_VIOLATION is raised.

Here, malware constructs zero by series of arithmetic calculations. Then it tries to access memory address pointed by it, which raises exception as zero is inaccessible memory address.

Fig 5. EXCEPTION_ACCESS_VIOLATION instructions pattern.

As we can see the constant values and operations (mov, xor, sub) are keeps varying for each exception raised.

EXCEPTION_SINGLE_STEP (code 0x80000004)

The FLAGS register is the status register that contains the current state of a x86 CPU. The trap flag is 8^th bit of FLAGS register. When the trap flag is set, the system is instructed to single step, it will execute one instruction and then stop. Then contents of registers and memory locations can be examined by Vectored Exception Handler; if they are correct, the system can execute the next instruction.

The x86 processor has no instruction to directly set or reset the trap flag. Malware uses combination of (PUSHFD/POPFD) instructions to set trap flag.

These operations are done by.

1. Pushing the flag register on the stack (PUSHFD) .
2. Modifying the trap flag bit (uses 0x100)
3. Popping the flag register back off the stack (POPFD).

When malware is running without debugger, when SINGLE_STEP exception is raised and handled by Vectored Exception Handler.

Fig 6. SINGLE_STEP exception instructions pattern.

However while using debugger, no exception can be seen being raised as trap flag is always gets reset after each debugger event is delivered.

EXCEPTION_BREAKPOINT (code 0x80000003)

INT3 instruction (0xCC opcode) is used as software breakpoint in debuggers, that’s why when program is running under debugger, control remains to the debugger after it encounter INT3.

When malware is running without debugger exception EXCEPTION_BREAKPOINT is raised, and control is transferred to the Vectored Exception Handler.

Fig 7. BREAKPOINT exception instruction patterns.

Now we have understood how exceptions are being raised by malware. Next will see how malware uses these exceptions to change the control flow at runtime using its custom Vectored Exception Handler.

DECODING VECTORED EXCEPTION HANDLER

An application can register a function to handle all exceptions for the application. Vectored handlers are called in the order that they were added.

GuLoader call RtlAddVectoredExceptionHandler API to add its custom Vectored Exception Handler. RtlAddVectoredExceptionHandler accepts two parameters.

Fig 8. Structures of EXCEPTION RECORD & CONTEXT.

As we can see in below image, pointer of structure EXCEPTION_POINTERS is being passed as an argument to Vectored Exception Handler(VEH). Using structure EXCEPTION_POINTERS, VEH can access all the information regarding raised exceptions and reading the values of all the registers of processor using structure CONTEXT.

Fig 9. Pseudocode of Custom Vectored Exception Handler.

When EXCEPTION_ACCESS_VIOLATION and SINGLE_STEP_EXCEPTION exceptions are raised, handler perform following steps:

1. It checks whether memory address being currently accessed is zero or not. If it is not zero, then it returns 0 and ultimately crashes down.

But how handler gets the address of currently accessed memory location? So it uses ExceptionInformantion[1] member of Exception Record to get this additional information about exception.

2. Checks if any hardware breakpoints have been set by checking status of the debug registers(DR0 to DR7). If found it set the ContextRecord to 0 which leads malware to crash.
3. If successfully pass the check, it then transforms the EIP to new address using logic Context->Eip += ByteAt(Eip + 2) ^ 0x6A where
   • Value 2 depicts size of instruction (mov, jg, jne etc.) where exception is raised.
   • 0x6A is byte key to transform EIP. (It differs sample to sample)

Fig 10. Debug register check.

When EXCEPTION_BREAKPOINT exception is raised, handler perform following steps:

1. Checks whether hardware breakpoints have been set by checking status of the debug registers(DR0 to DR7). If found it set the ContextRecord to 0 which leads malware to crash.
2. Scans for applied software breakpoint i.e. CC byte in loop.
3. If successfully pass the check, it then transforms the EIP to new address using logic Context->Eip += ByteAt(Eip + 1) ^ 0x6A where
   • Value 1 depicts size of instruction (CC) where exception is raised.
   • 0x6A is byte key to transform EIP.

WRITING IDA PYTHON SCRIPT

IDAPython is an IDA Pro plugin that integrates the python programming language, allowing scripts to run in IDA Pro. IDA provides different modules to work on disassembly of instructions.

The python script finds instructions pattern that raise an exception and patch them by jump instruction with transformed EIP offset as a target.

After running the python script in IDA, we get clean, easy to analyze, deobfuscated code of GuLoader’s shellcode. Also finds out that GuLoader’s VEH has been called more than 1100 times.

Fig 11. Obfuscated code(A), deobfuscated code(B), GuLoader’s entire shellcode graph view(C).

CONCLUSION

GuLoader malware introduces new techniques very often which takes much time and efforts of malware analysts to fully analyzed it. We have completely analyzed GuLoader’s custom Vectored Exception Handler and understood how it works.

We have written python script to defeat GuLoader shellcode control flow obfuscation and saving time and efforts of malware analyst.

We expect further development in GuLoader anti-analysis, anti-debug techniques in upcoming days.

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

IOC’s

SHA256 : 55130719554a0b3dcbf971c646e6e668b663b796f4be09816d405cc15a16d7d6

C2 URL : hxxp[:]//lena[.]utf[.]by/wp-content/plugins/f8eb81f6deba45169c3b41c05c4590ad/y/mm/mmd/kdRrHFMqRUIujuOy126[.]bin

Final Payload (Azorult stealer): d5af42b118d0597c6b71831f2b2ebc8294eca907481d53939563fce7c0f14767

REFERENCES

Technical Analysis:

Once user executes the file, Malware starts with creating Mutex using GetCustomAttributes() API. After creating mutex it uses threading by using Task task = Task.Run() to perform stealing activity simultaneously.

Browsers Data:

First activity malware does is that it steals information from web browsers. Here malware divides the browsers into 2 categories, 1st is Chromium-based web browsers and 2nd is Gecko-based web browsers. First, it searches for the installed Chromium-based web browsers from the victim’s computer from which he wants to steal information.

Figure 1. Stealing Chromium based browsers information.

Below is the list of Chromium based browsers malware targets:

List of Gecko based web browsers that malware targets:

After searching for targeted browsers, if malware finds the any of above-mentioned browser directory on the victim’s machine, then steals data from that directory and keep the same in respected folder. For Example, if malware steals History data from Google Chrome and FireFox browser then it creates a folder with the name Histories and keeps the stolen History data of Chrome and Firefox in Google Chrome.txt and Firefox.txt respectively. As shown in below Figure 2.

Figure 2. Stolen browsers History

Here is list of data malware steals from browsers:

• Login data
• Cookies
• Credit card data
• Bookmarks
• AutoFill data
• History

If malware founds any of above-mentioned data, then it keeps its count also in Counter.txt file shown in below Figure 3.

Figure 3. Stolen data from browser with counter

In this malware binary, there is a function DetectCreditCardType() which is called if any Credit Card info found in above mentioned web browsers on the victims’ machine, then it checks that Credit Card number using Regular Expression with major Credit Card Companies which are already hardcoded present in malware as shown in below figure 4.

Figure 4. Credit Card Parsing

Stealing Clipboard Data:

After stealing browsers information, it obtains the clipboard data and keeps in “Clip_BoardText.txt” file and bundles it into a zip file as shown in the below Figure.

Figure 5. Stealing Clipboard Data

Crypto Wallet Extension:

Then this stealer malware extracts information from crypto wallet browser extensions. Right now, the malware only targets 3 browsers Opera, Opera GX and Google Chrome. These extension IDs hard coded presents in the file.

Figure 6. Stealing information from Crypto Wallet browser extensions.

Below table shows the targeted crypto wallets with respective browser extension IDs:

Cryptocurrency Wallets:

This stealer not only steals Crypto Wallet Extensions information from browsers but also targets the Cryptocurrencies Wallets installed on victim’s system by looking for text ends with “wallet” or “json” into associated directories mentioned in below table. If any specified Cryptocurrency wallet found on victim’s system, then it reads all the information and bundles into a zip file with folder name “CryptoWallets” along with No. of counts of CryptoWallets in Counter.txt files which is also present in zip file.

Figure 7. Stealing Cryptocurrencies information

Here is the list of Cryptocurrency wallets which malware targets:

Targeted Apps:

Malware does not stop after stealing Crypto wallets and extensions from browsers, then it looks for specified installed apps from the victim’s machine. Below is list of targeted apps which are also hardcoded in binary. If malware found the specified app on machine, then it creates text file with “AppName_log.txt” and writes all data in it.

Pidgin:

Pidgin defines itself as a chat program that lets you log into accounts on multiple chat networks simultaneously. The credentials targeted by the stealer are located in an XML file containing the account information (accounts.xml), which should be located under the “%ApplicationData%\.purple” directory. As shown in below Figure, After obtaining pidgin data, malware copies it into a text file with name “Pidgin_Log.txt” and bundle into a zip.

Figure 8. Stealing Pidgin data.

Filezilla:

The FileZilla software program is a free-to-use (open source) FTP utility, allowing a user to transfer files from a local computer to a remote computer. This stealer will try to obtain the two files where the FPT client stores its passwords. Below table shows path where files will be located with description.

If malware founds above mentioned files, then XML documents will be examined to locate “Server” elements and extract the “Host,” “Port,” “User,” and “Pass” fields from each instance. “Pass” field will be decoded from Base64.The retrieved information will be saved in “FileZilla_Log.txt” file and bundle in into a zip file.

Figure 9. Stealing FileZilla Credentials

Foxmail:

The stealer targets POP3 accounts and passwords associated with this mailing software. Inside FoxMail’s installation directory, there is a file named “Accounts\Account.rec0” where these credentials are stored. The location of the installation directory is obtained from following registry key:

SOFTWARE\\Classes\\Foxmail.url.mailto\\Shell\\open\\command”

Under the “\\Storage” directory, the stealer searches for all directories that match the regular expression “@”. It then attempts to locate the “Accounts\Account.rec0” file within these directories. If the file is found, it will be read and parsed to obtain POP3 account details and passwords. After this, malware copy stolen info into “FoxMail_Log.txt” and bundle it into a zip.

Telegram:

This stealer tries to steal information from Telegram in 2 ways as shown in below Figure 10. In a first way, it targets to installed Telegram app on victims’ machine by checking %AppData%\Roaming\Telegram Desktop\tdata directory. If the directory found, then collects all the file from that directory then bundle into zip file with the folder name “TelegramFiles/Installed/tdata”. Here malware Bypasses some files while collecting information from both installed Telegram app and Portable Telegram.

Below it the list of directories and files which malware bypass:

• dumps
• temp
• user_data
• user_data#2
• tdummy
• emoji
• modules
• exe
• txt
• .json
• Dictionaries

In second way, Malware retrieves all running processes by using Process.GetProcesses() method. If it finds a process name starting with “Telegram” then retrieves all the information Bypassing above listed directories and files and put it into a zip file with the name “TelegramFiles/Portable”

Figure 10. Stealing Information from Telegram App.

Apart from above mentioned apps, Malware also steals information from Discord App and keep in “Discord/Tokens.txt” and bundle into zip file. Then next it steals information from RDP files if present on victims’ system by searching for .rdp extension.

Targeted VPNs (Virtual Private Network):

After targeting Apps from victims’ machine, this stealer malware has the capabilities to steals VPNs information  from victim’s machine.

Stealing Steam Credentials:

Steam is a video game digital distribution service that provides automatic updates for various games. It is highly popular among gamers as it allows for multiplayer capabilities.

Figure 11. Stealing Steam ID.

As shown in above Figure 11, stealer reads all lines from “configloginusers.vdf” file and obtain steam ID. This obtained ID is then written into “SteamID_Log.txt” which will be stored in Steam folder.

Figure 12. Stealing Steam files.

As shown in above Figure 12, this stealer gets the Steam location of the victim’s system by targeting “SOFTWARE\\Wow6432Node\\Valve\\Steam” and “Software\\Valve\\Steam” directories using GetLocationSteam(). If Steam directory is found, then it copies all the files into “Steam” folder and escapes files which having “. crash” extension. After this, stealer also grabs config information and stores it into “Steam/Config” directory.

C2 Communication:

Figure 13. Uploading stolen data to C2

As shown in above Figure, malware adds header by using “DateTime.Now.Ticks()” which is used to Get the number of ticks that represent the date and time of this instance. After adding header malware bundles stolen data into a zip file and sends it to C2 server (hxxps://es-megadom.com) which is hardcode present in binary using the POST request method. As now writing this blog, while uploading data to C2 malware throwing Exception because it is down and terminating by returning false.

Exfiltration:

After stealing all important information from victim’s machine the last step malware does is, it bundles all this information into folder with name like “c33f028dee6e06ed_[mr0001]” which is obtained by performing some operation on victims UserName and MachineName and contacting “_[mr0001]” string as shown in below Figure.

Figure 14. Exfiltration File

ProcessInfo_Log.txt:

As name suggests, ProcessInfo_Log.txt file contains All running processes with format like:

• Process Name:
• Process Tittle:
• Process Path:

Figure 15. Obtaining running processes

Information.html file:

Information.html file contains all the following information of victim’s machine and all running process followed by process ID.

1. Operating system
2. Registered user
3. Windows Product Code
4. Computer name
5. Logical processes
6. System directory
7. Central Processing Unit (CPU)
8. Processor ID
9. Screen resolution
10. BIOS version
11. Physical memory
12. Memory type
13. Video card
14. Computer model
15. Computer model manufacturerFigure 16. Stolen Systems information inside Information.html file

List of WMIQUERY used by malware to obtain above information from victims’ system.

• root\\CIMV2″, “SELECT * FROM Win32_OperatingSystem
• root\\CIMV2″, “SELECT * FROM Win32_Processor
• root\\CIMV2″, “SELECT * FROM Win32_DesktopMonitor
• root\\CIMV2″, “SELECT * FROM Win32_BIOS
• root\\SecurityCenter2″, “SELECT * FROM AntiVirusProduct
• root\\SecurityCenter2″, “SELECT * FROM FirewallProduct
• root\\CIMV2″, “SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
• root\\CIMV2″, “SELECT * FROM Win32_PhysicalMemory
• root\\CIMV2″, “SELECT * FROM Win32_VideoController
• root\\CIMV2″, “SELECT * FROM Win32_ComputerSystem

Apart from all of this, malware has some additional capabilities like Taking Screenshots, Doing AntiVM checks and country check. In this sample malware author not using above mention functionalities. But in future it may use to make analysis of this binary more difficult and obtaining some additional information from victim’s machine.

Figure 17. AntiVM Code present in malware binary.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Passwordstealer.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.