Ddos 
Zscaler ThreatLabz has released a deep-dive analysis of GuLoader (also known as CloudEye), revealing how this long-standing malware family is evolving to stay ahead of defenders. First observed in late 2019, GuLoader has become a staple in the cybercrime world, primarily serving as a delivery vehicle for other malicious payloads like Remote Access Trojans (RATs) and information stealers.
The new report highlights GuLoader’s increasing reliance on complex obfuscation techniques, making it a nightmare for security analysts to reverse-engineer.
One of GuLoader’s signature moves is hiding in plain sight. Instead of hosting its malicious payloads on suspicious servers, it leverages trusted cloud platforms.
“The threat actors that distribute GuLoader often host malware on legitimate platforms including Google Drive and OneDrive to evade reputation-based detection,” the report explains.
By using these reputable services, the malware’s download traffic looks like normal user activity to many security filters, allowing it to slip through the net.
To further complicate analysis, GuLoader uses “polymorphic code to dynamically construct constant and string values”. This means the malware’s code constantly changes its appearance, preventing security tools from using simple static signatures to identify it.
The malware also employs “exception-based control flow obfuscation,” a technique where the program deliberately triggers errors to jump between different parts of its code, making the execution path incredibly difficult to follow.
When it comes to unlocking its final payload, GuLoader uses a multi-layered approach. It downloads an encrypted binary—often exceeding 0x300 bytes—which acts as an XOR key.
“This binary buffer functions as an XOR key, which is used to decrypt a malware payload that is downloaded from a hardcoded URL,” the researchers note. Even the URL itself is encrypted, ensuring that analysts cannot easily see where the malware is reaching out to without first cracking the code.
Despite being over five years old, GuLoader shows no signs of slowing down. Its developers are continuously updating it with “increasingly complex exception-handling mechanisms to complicate analysis”.
As the Zscaler team concludes: “Given the consistent development over time, GuLoader is likely to remain a significant threat for the foreseeable future”.
Related Posts:
- Guloader Malware Rides Wave of Fake Performance Reports
- Makop Ransomware Evolves: GuLoader and BYOVD EDR Killers Used to Attack RDP-Exposed Networks
- Venom Spider Evolves: Arctic Wolf Exposes More_eggs Campaign Targeting HR
- The Invisible Trap: GenAI Now Creates “Living” Polymorphic Phishing Pages
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
