Experts in security have revealed a novel strategy used by the GULOADER malware to avoid being discovered by antivirus programs. The very elusive shellcode downloader virus has been discovered to use the Vectored Exception Handler (VEH) feature to thwart examination. Typically, the malware spreads through emails containing ZIP packages or URLs that point to VBScript files.Elastic Security Labs claims that the method entails making use of a Windows program capability.
By utilizing “RtlAddVectoredExceptionHandler” to add the VEH, GULOADER initiates this process, enabling the malware to intercept and handle exceptions while the program is running.
The VEH looks for hardware breakpoints when these exceptions are raised, and in the last phase, it releases malicious payloads.