The interesting thing about handling exceptions is that the way in which the system resumes its normal execution flow of the program after the event of exception. The Vectored Exception Handling on Windows provides the user with ability to register custom exception handler, which is simply a code logic that gets executed at the event of an exception. ![]() The implementation of the exception handling by the Operating System provides an opportunity for the adversary to take over execution flow. ![]() Callback functions parameters are good resources for indirect execution of the code. The address where the shellcode is allocated in the memory is passed as the second argument to this API leading to execution of the shellcode. The second parameter is of the type ENUMRESTYPEPROCA which is simply a pointer to a callback routine. EnumResourceTypesA – Execution via callback mechanism.SetFilePointer – To seek the exact position of the shellcode in the dumped file.VirtualAlloc – To hold the shellcode in the RWX memory.As part of installer set up, all the files seen in the installer archive earlier are dumped on to disk in new directory created in C:\ drive. CreateFile – To read the shellcode dumped on to disk by the installer.The Call function exported by system.dll resolves following functions dynamically and execute them to deploy the shellcode.The function named “Call” is being used to deploy the shellcode on victim’s system. The system.dll has the following exports as shown the in the image below. The following image shows how the NSIS script calls functions in plugin libraries. The system.dll is responsible for allocating memory for the shellcode and its execution. Two DLL files are dropped in user’s TEMP directory, in all analyzed samples one DLL has a consistent name of system.dll and name of the other one varies. Ī plugin used by the NSIS installer is nothing but a DLL which gets loaded by the installer program at runtime and invokes functions exported by the library. Some samples have unprotected GULoader shellcode appended to junk data. In the image, the FileSeek NSIS command is used to do proper offsetting. As mentioned before, the shellcode is appended to junk data, because of this, an offset is used to retrieve encoded GULoader shellcode. But in all most all the cases, it’s a simple XOR encoding. The encoding style varies from sample to sample. Junk is appended at the beginning of the encoded shellcode. The file that holds the encoded GULoader shellcode is dropped on to victim’s disc based on the script configuration along with other data. The image shown below is an oversimplified view of the whole shellcode staging process. ![]() The deployment strategy employed by the threat actor can be studied by analyzing the NSIS script commands provided in the script file. The NSIS script, which is a file found in the archive, has a file extension “. The image below shows the structure of an NSIS GULoader staging executable archive. The junk data is used as Anti-AV / AV Evasion technique. NSIS installer files are self-contained archives enabling malware authors to include malicious assets along with junk data. NSIS stands for Nullsoft Scriptable Installer. Since its inception, adversaries have abused the utility to deliver malware. The installer behavior is dictated by an NSIS script and users can extend the functionality of the packager by adding custom libraries (dll) known as NSIS plugins. The NSIS scriptable installer is a highly efficient software packaging utility. In recent GULoader campaigns, we are seeing a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system. Authored by: Anandeshwar Unnikrishnan Stage 1: GULoader Shellcode Deployment
0 Comments
Leave a Reply. |