GuLoader, also referred to as CloudEye, has been a notable player in the malware landscape since its emergence in late 2019. This sophisticated downloader is designed primarily to fetch and install secondary malware, including Remote Access Trojans (RATs) and information stealers, onto compromised systems.
One of GuLoader’s most remarkable strategies for evasion lies in its clever use of legitimate cloud services. By hosting its malicious payloads on trusted platforms such as Google Drive and Microsoft OneDrive, GuLoader effectively circumvents the scrutiny of security tools that typically target suspicious servers. This tactic allows the malware to slip past reputation-based filtering systems, as organizations and antivirus software generally trust these well-known domains.
A recent analysis conducted by Zscaler ThreatLabz highlights the evolution of GuLoader, which has adopted advanced techniques, particularly polymorphic code and trusted cloud hosting, to evade traditional security detections. Upon execution, GuLoader connects to these legitimate URLs to download its concealed payload, seamlessly blending in with regular network traffic.
GuLoader Leverages Polymorphic Malware
To thwart security analysts from establishing a standard “fingerprint” or signature for detection, GuLoader employs polymorphic code. This technique ensures that the code continually alters its appearance while maintaining its core functionality. By utilizing a combination of assembly operations such as mov, xor, add, and sub, GuLoader dynamically constructs constants as needed.
For instance, rather than directly embedding a constant value like the number 5 into the code, GuLoader dynamically calculates it through a series of mathematical operations. This approach renders the underlying code distinct in each iteration, effectively neutralizing static detection signatures.
Moreover, GuLoader employs a complex technique known as exception-based control flow. Unlike conventional software that utilizes “jump” instructions to navigate between code sections, GuLoader intentionally disrupts its program to confound analysis tools. By triggering a computer error—an exception—GuLoader activates a custom “exception handler” designed to rectify errors. This handler computes the intended code path and redirects the program accordingly, incorporating an additional anti-debugging mechanism to verify the presence of software breakpoints at the jump destination.
To automated security tools, this behavior appears as if the program has crashed, complicating efforts to trace the malware’s true trajectory.
The Evolution of Crash Tactics
Over time, GuLoader has refined its techniques:
- 2022: Utilized simple software breakpoints (interrupts) to trigger the handler.
- 2023: Advanced to using “Single Step” and “Access Violation” exceptions, attempting to write data in unauthorized areas to initiate the redirect.
- 2024-2025: Newer iterations now incorporate “Illegal Instruction” exceptions, where the malware deliberately executes an unrecognized command, prompting the crash handler to use a hardcoded key for redirection.
In addition to these tactics, GuLoader safeguards its internal data, including the web addresses for its command-and-control servers. It employs dynamic XOR encryption to obfuscate these strings, making it challenging for analysts to extract the URLs simply by examining the file.
GuLoader remains a formidable threat due to its continuous adaptation. By capitalizing on the trust associated with major cloud providers and utilizing intricate “self-crashing” mechanisms to obscure its operations, it effectively outmaneuvers many conventional defensive tools. While security researchers at Zscaler have developed specialized scripts to assist analysts in deobfuscating these newer variants, the malware’s relentless evolution indicates that it will continue to pose challenges in the foreseeable future.
Indicators Of Compromise (IOCs)
| Hash | Version |
|---|---|
| 90de01c5ff417f23d7327aed517ff7f285e02dfe5dad475d7f13aced410f1b95 | 2022 |
| 274329db2d871d43eed704af632101c6939227d36f4a04229e14603f72be9303 | 2022 |
| 4be24d314fc9b2c9f8dbae1c185e2214db0522dcc480ba140657b635745e997b | 2023 |
| 0bcc5819a83a3ad0257a4fe232e7727d2f3d04e6f74c6d0b9e4dfe387af58067 | 2023 |
| 7fccb9545a51bb6d40e9c78bf9bc51dc2d2a78a27b81bf1c077eaf405cbba6e9 | 2024 |
| 53bad49e755725c8d041dfaa326e705a221cd9ac3ec99292e441decd719b501d | 2024 |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
