GuLoader uses Google Drive to download payloads

GuLoader via Google Drive

Antivirus products are continually advancing to combat evolving threats, leading malware developers to create new circumvention techniques such as “bundling” and “encryption.” GuLoader is a notable service used by cybercriminals to avoid detection by antivirus software.

Check Point cybersecurity researchers claimed that GuLoader employs a variety of evasion techniques and is noted for its encrypted payload that is uploaded to a remote server, allowing attackers to use a securely protected shellcode-based loader. which downloads, decrypts, and executes the payload in memory without storing decrypted data on the hard drive.

Apart from Google’s diligent attempts to prevent malicious GuLoader encrypted payloads, most instances still witness GuLoader successfully retrieving payloads from Google Drive.

Malware delivered via Google Drive

Conclusive evidence discovered by the researchers indicates that GuLoader is currently being employed as a distribution mechanism for subsequent malware strains:

  • forms book
  • charger x
  • remcos
  • 404 keylogger
  • lokibot
  • AgentTesla
  • nanonucleus
  • NetWire

Previous iterations of GuLoader were VB6 applications that used encrypted shellcode to handle essential tasks like loading the encrypted payload, decrypting it, and executing it from memory, while the current predominant versions are based on:

GuLoaded Attack Chain

Techniques followed by GuLoader

Both the NSIS and VBS variants of GuLoader use the same version of shellcode, which incorporates numerous anti-scan techniques similar to previous versions.

Next, we have mentioned the techniques used:

  • Sandbox Evasion Techniques
  • Anti-debugging techniques

While previous versions of GuLoader could be bypassed by a debugger during dynamic analysis, security analysts face significant challenges in the new version due to a technique that makes both debugging and static analysis difficult.

Since late 2022, the GuLoader shellcode has incorporated a novel anti-parsing method that involves the generation of numerous exceptions that interrupt the regular flow of code execution, with control subsequently transferred to a dynamically computed address via an exception handler of vector.

The storage method for the payload decryption key mirrors that of encrypted strings, but the key remains clearly unencrypted. Typically, the key length is in the range of 800 to 900 bytes.

To evade automated analysis, GuLoader employs a deceptive tactic by using a different size, not the one stored with the key, which poses a challenge for decryption as only the initial 843 bytes of the payload can be accurately decrypted, leaving the remaining data fragmented.

From previous versions of GuLoader, the payload decryption algorithm remains unchanged, with the initial 64 bytes of the downloaded data omitted.

GuLoader gets the final key assuming the first 2 bytes of the decrypted payload are “MZ” and calculates a 2-byte XOR key (rand_key), which is used to XOR the payload decryption key.

Using encryption, header skipping, and loader payload separation, threat actors make their malicious payloads undetectable by antivirus software, allowing them to use Google Drive as a storage medium and bypass their malicious payloads. antivirus protections, with some download links to these payloads persisting longer. durations


Stop Phishing Attacks with Device Posture Security: Download the Free eBook