Full Report
Authored by: Anandeshwar Unnikrishnan Stage 1: GULoader Shellcode Deployment In recent GULoader campaigns, we are seeing a rise in NSIS-based... The post GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader appeared first on McAfee Blog.
Analysis Summary
# Tool/Technique: GULoader Shellcode Deployment (NSIS-based campaigns)
## Overview
GULoader is a highly evasive, shellcode-based loader malware frequently observed being deployed via NSIS (Nullsoft Scriptable Installer) archives. These campaigns often start with malspam emails distributing the NSIS installer, which leverages custom DLL plugins to execute the GULoader shellcode on the victim's system.
## Technical Details
- Type: Malware Loader (Shellcode-based)
- Platform: Windows
- Capabilities: Highly evasive execution, shellcode staging and loading, anti-analysis via Vectored Exception Handling (VEH).
- First Seen: Based on article date, recent campaigns noted around May 2023.
## MITRE ATT&CK Mapping
*Note: Direct, complete mapping is inferred based on described behavior.*
- **TA0002 - Execution**
- T1547.001 - Registry Run Keys / Startup Folder (Inferred as part of typical loader payoff, though not explicitly detailed in deployment)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Via junk data appended to shellcode)
- T1055 - Process Injection (Inferred as a likely final stage for shellcode execution, via memory allocation and execution)
- **TA0003 - Persistence** (Not explicitly detailed, but common for loaders)
## Functionality
### Core Capabilities
- **Delivery via NSIS:** Utilizes NSIS installers, which can contain malicious assets and junk data for AV evasion.
- **Shellcode Staging:** Drops encoded GULoader shellcode onto the disk, often prepended by junk data for obfuscation.
- **Simple XOR Encoding:** The shellcode payload is typically obfuscated via simple XOR encoding.
- **Dynamic Shellcode Retrieval:** Uses NSIS commands like `FileSeek` to correctly offset and retrieve the encoded shellcode.
### Advanced Features
- **Plugin-Based Execution:** Employs custom DLL plugins (e.g., `system.dll`) loaded by the NSIS runtime to perform execution tasks.
- **Memory Allocation & Execution:** The `system.dll` uses Win32 APIs (`VirtualAlloc` for RWX memory, `CreateFile`, `ReadFile`) to write the shellcode to memory.
- **Indirect Execution:** Executes the shellcode using indirect methods, specifically invoking `EnumResourceTypesA` and leveraging its callback mechanism (`ENUMRESTYPEPROCA`) to redirect execution flow to the allocated shellcode.
- **Vectored Exception Handling (VEH) Abuse:** Abuses VEH (`AddVectoredExceptionHandler`) primarily for obfuscating execution flow and slowing down automated analysis by diverting control flow upon exceptions.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names:
- NSIS Installer executable.
- Dropped DLL: `system.dll` (consistent name).
- Dropped DLL: Second DLL with a variable name.
- Registry Keys: [Not provided in context]
- Network Indicators: [Not provided in context]
- Behavioral Indicators:
- NSIS installer executing runtime library calls on dropped DLLs.
- Use of `VirtualAlloc` to create RWX memory regions.
- API calls for indirect execution like `EnumResourceTypesA` with a shellcode pointer as a callback.
- Installation of a Vectored Exception Handler using `AddVectoredExceptionHandler`.
## Associated Threat Actors
- [Not explicitly named, but associated with campaigns using highly evasive shellcode loaders.]
## Detection Methods
- Signature-based detection: Unknown at this level of analysis, but likely signatures for specific NSIS plugin functions or the GULoader shellcode payload.
- Behavioral detection: Monitoring for NSIS scripts utilizing DLL plugins to perform file reading, memory allocation, and indirect execution calls (`EnumResourceTypesA` callback). Monitoring for the registration of VEH handlers.
- YARA rules: [Not provided in context]
## Mitigation Strategies
- Prevention measures: Treat unsolicited emails containing executable archives (including NSIS installers) with extreme suspicion. Employ robust email filtering and sandboxing.
- Hardening recommendations: Implement execution prevention controls (e.g., AppLocker, WDAC) to restrict execution from temporary directories or non-standard locations. Enhance monitoring for unusual API sequence usage (e.g., allocation followed by callback execution).
## Related Tools/Techniques
- NSIS (Used as a delivery mechanism).
- Other shellcode loaders that utilize complex memory execution techniques.
- Malware utilizing VEH for anti-analysis.