Thursday, September 17, 2020

GuLoader's VM-Exit Instruction Hammering explained



In Joe Sandbox Cloud Basic, our community version of Joe Sandbox, we often get very interesting and recent malware samples. On the September 16th, 2020 we came across a new GuLoader variant (MD5: 01a54f73856cfb74a3bbba47bcec227b). GuLoader is a malware loader well known for its anti-evasion techniques.


Slow VM Exits


 The initial analysis on a virtual machine showed the following results:




As we can see in the Signature section, there are some RDTSC based evasion checks executed:



Among many other anti-evasion checks, GuLoader uses the following code to detect that it is running in a virtual machine:



The code has two main purposes. First, it measures how long the execution of the CPUID instructions takes. On real hardware, CPUID is directly executed by the CPU. Inside a virtual machine, the CPUID instruction forces a VM exit - execution is transferred from the guest VM to the host. The hypervisor handles the instructions and switches back. This transition is much slower compared to direct CPU execution. The same is true for other instructions like RDTSC. This difference is measured and used to decide if the loader is going to execute the payload or not.


Instruction Hammering


Secondly, the measurements are not executed once but executed thousands of times. The result is an overall delay which often exceeds the execution time on a sandboxed analyzer. As a result, the payload execution is never reached. This method of executing massive amounts of delay instructions to prevent the execution - also known as Instruction Hammering - is very similar to API hammering, a technique we saw in TrickBot and many other malware samples. 

Instruction Hammering is extremely powerful since it is hard to detect and challenging to bypass, as it exploits the architecture of virtualization. The GuLoader creators seem to have noticed that, and in the new version they have even increased the number of delay instructions being executed:






This code executes RDTSC and CPUID 11 million times. In addition, UserSharedData.SystemTime is being used for time measurements.

On a Windows 10 x64 system running on VirtualBox the delay loop takes several minutes to finish:



On real hardware, the loop is executed in under one second!


Bare Metal Analysis to the Rescue


Joe Sandbox is one of a few vendors offering analysis on bare metal. In this setup, the malware sample is run on a real physical machine. Physical machines are much closer to the real target of the malware. As a result, VM-based evasions don't work and the sandbox can catch and record the real payload. If we analyze GuLoader on bare metal the delay loop is passed in under a second and we can see that the LuminosityLink RAT is dropped:





The full analysis report of the GuLoader variant is available here.

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!