A new strain of malware called UULoader is being actively used by threat actors to deliver next-stage payloads like Gh0st RAT and Mimikatz. Discovered by the Cyberint Research Team.
This malware is distributed through malicious installers disguised as legitimate applications, primarily targeting Korean and Chinese-speaking users.
The discovery of UULoader highlights the growing sophistication of cyber threats that put countless systems at risk.
Targeted Distribution and Language Clues
UULoader is distributed via fake installers for popular applications, designed to deceive unsuspecting users.
Evidence suggests that a Chinese-speaking individual is behind its development, as indicated by Chinese strings found in the program database (PDB) files embedded within the malware.
This insight strengthens the attribution of the malware’s origins, aiding cybersecurity teams in crafting targeted defenses.
How UULoader Works
UULoader’s core files are stored within a Microsoft Cabinet (.cab) archive containing two key executables a .exe and a .dll file that have had their file headers removed to evade detection.
Cyberint’s analysis reveals that one of these executables is a legitimate binary vulnerable to DLL side-loading, a technique that loads the malicious DLL and subsequently triggers the final payload a file named “XamlHost.sys.”
This file deploys notorious tools like Gh0st RAT and the credential-stealing Mimikatz, amplifying the damage to targeted systems.
Deceptive Installation Process
The malware’s installation process is designed to mislead users. A Visual Basic Script (.vbs) within the MSI installer launches a legitimate executable, often branded as trusted software like Realtek.
In some samples, a decoy file is also executed to distract users from the malicious activity happening in the background. For instance, if the installer masquerades as a Chrome update, a real Chrome update file is launched while the malware continues its operations unnoticed.
Connections to Past Attacks
The distribution strategy used by UULoader is reminiscent of previous attacks involving fake Google Chrome installers that delivered Gh0st RAT. Last month, a similar attack chain targeted Chinese Windows users through a counterfeit Google Chrome website.
This consistent pattern of using widely recognized software to lure victims demonstrates how attackers exploit trust in popular brands.
Escalating Phishing and Cryptocurrency Scams
The emergence of UULoader coincides with an uptick in phishing attacks aimed at cryptocurrency users.
Cybercriminals have been setting up thousands of phishing websites that mimic legitimate cryptocurrency wallet platforms like Coinbase, Exodus, and MetaMask.
These sites, hosted on services like Gitbook and Webflow, redirect victims to malicious URLs that either deploy phishing content or lead to benign pages if a security researcher is detected.
Advanced Phishing Techniques Exploiting Government and AI Themes
Recent phishing campaigns have also taken advantage of government impersonation tactics in both the U.S. and India to steal sensitive data.
Some attacks abuse Microsoft’s Dynamics 365 Marketing platform to create subdomains and send phishing emails that bypass standard filters.
Dubbed “Uncle Scam,” these attacks impersonate the U.S. General Services Administration (GSA) to lure victims.
Meanwhile, cybercriminals are exploiting the popularity of generative AI by setting up scam domains mimicking OpenAI’s ChatGPT.
Over 72% of these domains incorporate keywords like “gpt” or “chatgpt,” with 35% of the traffic directed to these domains flagged as suspicious. This trend showcases how attackers blend emerging technologies with traditional phishing tactics to deceive users.
Conclusion
The rise of UULoader and its ability to disguise itself as legitimate software to deploy dangerous payloads like Gh0st RAT and Mimikatz highlights the relentless evolution of cyber threats.
The combination of advanced distribution techniques, targeted phishing attacks, and the exploitation of current trends like cryptocurrency and AI presents a daunting challenge for both individuals and organizations.
Staying informed, vigilant, and proactive in applying security measures is crucial in mitigating the risks posed by this ever-changing threat landscape.
If you found these security learnings valuable, don’t miss out on more exclusive content. Follow us on Twitter and Instagram to stay informed about emerging threats and developments.
Check out the Cyber Safety Section and Subscribe our Newsletter, Join our community and gain access to the latest cybersecurity trends to bolster your defense against evolving threats & associated risks 🙂
