Threat Bulletin: Dissecting GuLoader’s Evasion Techniques
Over the last couple of months, we observed a new downloader called GuLoader (also known as CloudEyE) that has been actively distributed in 2020. In contrast to prototypical downloaders, GuLoader is known to use popular cloud services such as Google Drive, OneDrive and Dropbox to host its encrypted payloads. So far we have seen that GuLoader is being used to deliver Formbook, NanoCore, LokiBot and Remcos among others.
We’ve observed that GuLoader uses a combination of evasion techniques that evade sandboxes and slow down (manual) analysis. On June 6th, 2020 the developers of GuLoader informed the public that they have shut down their service (Figure 1). Despite the suspension of service, we anticipate other malware families will evolve and adapt some of these techniques in the near future. In this post, we will highlight GuLoader’s techniques with a focus on sandbox evasion and anti-analysis. ...read more!