GPU-Gated decryption evades detection: The malware itself is delivered as a large Microsoft Software Installer (MSI) file, approximately 128 MB in size. It features a GPU-gated decryption mechanism that keeps the payload encrypted unless it detects the presence of a real GPU on the system. Researchers noted that this design allows GPUGate to remain dormant in virtual machines, automated analysis environments, or less powerful machines, making it extremely difficult for security researchers to analyze.Once activated, the malware launches PowerShell with parameters designed to bypass Windows execution policies while hiding its windows from user view. Additionally, persistence is achieved through a scheduled task running with the highest administrative privileges, allowing it to survive reboots and operate across user sessions.The campaign also targets macOS devices, distributing AMOS Stealer (also known as Atomic Stealer) via a tailored installer that matches either x64 or ARM processors. This info-stealer, sold as malware-as-a-service on underground forums, can exfiltrate a wide range of sensitive data, including keychain passwords, VPN profiles, browser credentials, instant messaging data, documents, and cryptocurrency wallets.Researchers noted that the inclusion of cross-platform attacks demonstrates the operator’s aim for comprehensive, persistent access across diverse enterprise environments. “The malvertising and geofencing used are customized to specifically target EU countries,” they added. “The industries we observed directly targeted included workers in the Information Technologies sector.” For protection, Arctic Wolf recommends combining runtime inspection with sandboxing as well as boosting user awareness, as GPUGate’s advanced evasion and convincing mimicry make static defenses insufficient.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4053780/smart-gpugate-malware-exploits-github-and-google-ads-for-evasive-targeting.html
