Gacrux Malware

The Gacrux Malware is a Trojan loader written in the C programming language. Its authors have been distributing it via online hacking forums since August 2020. Of course, they are only willing to share it with like-minded cybercriminals who are prepared to pay some money. Cybersecurity experts note that the Gacrux Malware appears to share many features with the infamous Smoke Loader, and it is very likely that its authors have borrowed some code from open-source malware and other projects.

The primary features of the Gacrux Malware are said to be its anti-analysis techniques. The malware has the ability to check for particular hardware properties linked to virtual machines – e.g., the hard disk size and RAM size. Furthermore, its code includes empty portions, jumps, and scrambles parts, which have been put there on purpose – this is a simple trick malware developers use to fool automated malware detection and analysis software.

The Gacrux Malware is Sold on Public Hacking Forums

If there is nothing stopping the Gacrux Malware from launching, it will proceed to copy its components to the hidden %APPDATA% folder and then set up a Windows Scheduled Task to gain persistence. The malware also uses an extra trick to gain persistence by copying a '.lnk' shortcut file to the Windows Startup folder.

Once the Gacrux Malware is running, it will wait for further instructions from the attackers who have access to the following commands:

• Download and execute a payload.
• Update the payload.
• Remove all components.
• Run remote commands.
• Load a module.

The Gacrux Malware appears to have support for modules, but none of these have become public yet. However, this makes the Trojan much more threatening since it may carry out attacks on its own instead of relying on secondary payloads. Users can keep their systems protected from the Gacrux loader and similar threats using a reputable anti-malware service.