14 DAY TRIAL // The Chinese bootkit dubbed Guntior has been around since at least 2010. Sophos experts have analyzed a recent version of the threat’s dropper and found some interesting things.
According to Sophos’ Ahmed Zaki, the dropper has two execution branches: a dynamic link library (DLL) and an executable.
The interesting thing about it is that the DLL branch of execution is run with the aid of HelpCrt.exe, which is actually the legitimate Windows executable for the Windows Help Center.
The HelpCrt.exe file is used to run the DLL branch of execution before it continues with the “.exe” branch.
Another interesting thing about this Guntior variant is that instead of hijacking the I/O path by placing hooks in the miniport driver, like other bootkits do, it hooks the disk class drivers IRP_MJ_WRITE and IRP_MJ_READ.
The technical details regarding how the Guntior dropper works are available on Sophos’ blog.