2023: How cybercriminals bypass antiviruses with Google services
On May 22, 2023, information security specialists from Check Point Software Technologies released the results of an analysis of the GuLoader malware, which operates Google cloud services in the process.
GuLoader is a multifunctional malware loader first discovered in 2019. Attackers are constantly adding new features to GuLoader to bypass antivirus protection. In addition to encrypting code, the malware uses many other algorithms, including sandbox crawlers. A distinctive feature of GuLoader is that the encrypted payload is downloaded to a remote server, in particular, to Google Disk. As a result, hackers can use a secure shellcode bootloader that receives malware from the server, decrypts and runs the code in memory, leaving no trace of their activity on the computer's drive.
Despite Google's efforts to block encrypted malicious files, in most cases GuLoader bypasses this protection. Advanced versions of the malware are based on the VBScript scripting language and the NSIS installation program creation system. According to Check Point, since the end of 2022, the GuLoader shellcode has been using a new anti-alianalism technique that involves disrupting the normal execution sequence by deliberately creating a large number of exceptions.
It is noted that improved bypass protection has made GuLoader a favorite tool among cybercriminals for conducting cyber attacks on private users and organizations. The bootloader, in particular, is used to distribute malware such as Formbook, XLoader, Remcos, 404Keylogger, Lokibot, AgentTesla, NanoCore, NetWire, etc.[1]