Security experts have recently uncovered a novel strategy employed by the notorious GULOADER malware, designed to outsmart antivirus detection systems. This highly evasive shellcode downloader, commonly transmitted through email attachments or links with VBScript files, has now been identified utilizing the Vectored Exception Handler (VEH) capability, adding an extra layer of complexity to its evasion techniques.
Delving into the Details
Elastic Security Labs reveals that GULOADER initiates this process by integrating the VEH through ‘RtlAddVectoredExceptionHandler,’ enabling the malware to intercept and manage exceptions during program execution. As exceptions are triggered, the VEH scrutinizes hardware breakpoints, facilitating the deployment of malicious payloads in the final stage.
Researchers emphasize that although this technique isn’t entirely new, GULOADER continually updates its exception list as part of its anti-analysis strategy. Recently added exceptions like EXCEPTION_PRIV_INSTRUCTION and EXCEPTION_ILLEGAL_INSTRUCTION further fortify the malware’s ability to evade scrutiny.
Evolving Threat Landscape: GootBot and WailingCrab Join the Scene
In a rapidly evolving threat landscape, a fresh variant of GootLoader, named GootBot, has emerged. This variant employs custom-built bots in the late stages of the attack, enabling swift malware propagation and the deployment of additional payloads, all aimed at avoiding detection.
In a separate incident, the WailingCrab malware loader utilized shipping-themed email messages to slip past security checks before infiltrating victims’ systems. The ever-changing tactics of threat actors showcase the constant need for cybersecurity vigilance.
SpyAgent Campaign Targets South Korean Smartphone Users
McAfee researchers report a new SpyAgent campaign targeting smartphone users in South Korea. Active since early October, the malware has infected over 200 devices so far. The modus operandi involves distributing the malware through malicious Android and iOS applications delivered via phishing sites.
Deceptive Tactics Unveiled
The attackers initiate contact via SMS messages, persuading victims to switch to the LINE messenger for further communication. Once on LINE, victims are prompted to click on an app in the phishing link, triggering the download of SpyAgent. The malware, once installed, collects contact information and text messages, forwarding them to a server controlled by the attackers.
Ongoing Threat: Malicious Apps on the Rise
A recent discovery unveiled phishing sites distributing a counterfeit version of the Camtalk app for Android and Apple phones. These attackers utilized various themes on their phishing sites to attract victims. With 10 phishing sites identified so far, the campaign is ongoing, and the number of affected devices is anticipated to rise.
The Pervasiveness of Malicious Apps
The use of malicious apps remains a prevalent avenue for cybercriminals. Recent instances include threat actors exploiting the Windows news portal to promote a malicious installer for the CPU-Z app, distributing the RedLine Stealer. Additionally, Doctor Web’s analysts identified several malicious apps on the Google Play Store disseminating malware such as FakeApp, Joker, and HiddenAds.
In a landscape marked by evolving threats, cybersecurity measures must adapt to stay one step ahead of these sophisticated and ever-changing tactics.
Thanks & Regards:Ashwini Kamble