In Joe Sandbox Cloud Basic, our community version of Joe Sandbox, we often get very interesting and recent malware samples. On the September 16th, 2020 we came across a new GuLoader variant (MD5: 01a54f73856cfb74a3bbba47bcec227b). GuLoader is a malware loader well known for its anti-evasion techniques.
The initial analysis on a virtual machine showed the following results:
Among many other anti-evasion checks, GuLoader uses the following code to detect that it is running in a virtual machine:
The code has two main purposes. First, it measures how long the execution of the CPUID instructions takes. On real hardware, CPUID is directly executed by the CPU. Inside a virtual machine, the CPUID instruction forces a VM exit - execution is transferred from the guest VM to the host. The hypervisor handles the instructions and switches back. This transition is much slower compared to direct CPU execution. The same is true for other instructions like RDTSC. This difference is measured and used to decide if the loader is going to execute the payload or not.
Secondly, the measurements are not executed once but executed thousands of times. The result is an overall delay which often exceeds the execution time on a sandboxed analyzer. As a result, the payload execution is never reached. This method of executing massive amounts of delay instructions to prevent the execution - also known as Instruction Hammering - is very similar to API hammering, a technique we saw in TrickBot and many other malware samples.
Instruction Hammering is extremely powerful since it is hard to detect and challenging to bypass, as it exploits the architecture of virtualization. The GuLoader creators seem to have noticed that, and in the new version they have even increased the number of delay instructions being executed:
Joe Sandbox is one of a few vendors offering analysis on bare metal. In this setup, the malware sample is run on a real physical machine. Physical machines are much closer to the real target of the malware. As a result, VM-based evasions don't work and the sandbox can catch and record the real payload. If we analyze GuLoader on bare metal the delay loop is passed in under a second and we can see that the LuminosityLink RAT is dropped: