The encoding style varies from sample to sample. Junk is appended at the beginning of the encoded shellcode. The file that holds the encoded GULoader shellcode is dropped on to victim’s disc based on the script configuration along with other data. The image shown below is an oversimplified view of the whole shellcode staging process. The deployment strategy employed by the threat actor can be studied by analyzing the NSIS script commands provided in the script file. The NSIS script, which is a file found in the archive, has a file extension “. The image below shows the structure of an NSIS GULoader staging executable archive.
The junk data is used as Anti-AV / AV Evasion technique. NSIS installer files are self-contained archives enabling malware authors to include malicious assets along with junk data. NSIS stands for Nullsoft Scriptable Installer. Since its inception, adversaries have abused the utility to deliver malware. The installer behavior is dictated by an NSIS script and users can extend the functionality of the packager by adding custom libraries (dll) known as NSIS plugins.
#Mcafee antivirus activation key free software
The NSIS scriptable installer is a highly efficient software packaging utility. In recent GULoader campaigns, we are seeing a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system. Authored by: Anandeshwar Unnikrishnan Stage 1: GULoader Shellcode Deployment
0 kommentar(er)
