Gacrux Malware

Gacrux Malware Description

Gacrux is a malware threat written in C that displays a rather peculiar combination of lifting whole modules and code sections from open source projects with a custom-made PE loader. Despite the liberal use of open-source code and quite a few bugs, the Gacrux Malware is being sold on underground hacker forums. According to infosec researcher KrabsOnSecurity, Gacrux appears to have been inspired by another malware called Smoke Loader.

Anti-Analysis and Anti-VM Techniques

Although most of them can be circumnavigated easily, Gacrux is nonetheless equipped with quite a few anti-analysis measures. The threat first tries to disrupt IDA debugging by implementing fake returns and jumps that cause IDA to disassemble the subsequent instructions inaccurately. As an additional obfuscation measure, two functions are encrypted on disk by the Gacrux Malware. As an identifier for potentially being executed in a sandbox environment, Gacrux checks the available disk space and Ram size.

Additional anti-debugging methods are sprinkled throughout the entire code of the malware. Most of them are injected into important function segments and crash the entire process if they detect a debugger or a VM environment.

The persistence mechanism is established through a Window Procedure responsible for checking the installed file and creating a startup .lnk file. The procedure is called inside the context of explorer.exe periodically.

The Gacrux Malware Borrows Open-Source Code

Among the modules that comprise Gacrux's infrastructure, several have been lifted from free projects hosted on legitimate Web services directly. For example, the threat's syscall module is an almost identical copy of an open-source encryptor, while the loader for the modules is taken from the Memory Module project found on Github directly.

Collected code also can be found as part of the execution primitive that exploits SetPropA in a method copied from open-source implementations. For its code injection, Gacrux leverages two different write primitives depending on whether it is being executed on a 32-bit architecture or 64-bit. For 32-bit systems, the malware uses 'NtCreateSection/NtMapViewOfSection', while for 64-bit systems it employs 'NtAllocateVirtualMemory/NtWriteVirtualMemory.'