UULoader’s Latest Release Disseminates Gh0st RAT along with Mimikatz in East Asia
An emerging malware strain known as UULoader has been identified as a conduit for deploying advanced malicious software such as Gh0st RAT and Mimikatz.
The Cyberint Research Team, the entity behind the discovery of this malware, has revealed that it is disseminated in the form of corrupt installers for legitimate applications, specifically focusing on audiences fluent in Korean and Chinese languages.
The Chinese heritage of the threat actor behind UULoader is inferred from the existence of Chinese references within the program database (PDB) files stored in the associated DLL file.
“The essential files of UULoader are packaged within a Microsoft Cabinet archive (.cab) file containing two primary executables (an .exe and a .dll) that have undergone file header removal,” noted the organization in a technical summary supplied to The Hacker News.
One of the executables is a valid binary that is vulnerable to DLL side-loading, a technique used to load the DLL file that ultimately executes the final phase, a cryptic file titled “XamlHost.sys,” designed to operate as remote access tools like Gh0st RAT or the information-stealing Mimikatz.
Nestled within the MSI installer file is a Visual Basic Script (.vbs) tasked with launching the executable – for instance, Realtek – with certain UULoader instances also launching a deceptive file to divert attention away from the actual operations.
“Such actions are often aligned with the facade presented by the .msi file,” added Cyberint. “For instance, if posing as a ‘Chrome update,’ the decoy will genuinely resemble a legitimate Chrome update.”
Previously, fake Google Chrome installer instances have been linked to the propagation of Gh0st RAT. In a recent incident, eSentire outlined an attack series aimed at Chinese Windows users that leveraged a counterfeit Google Chrome portal to circulate the remote access trojan.
These developments have coincided with threat actors churning out numerous cryptocurrency-themed bait websites utilized in phishing efforts that aim at users of prominent cryptocurrency wallet services such as Coinbase, Exodus, and MetaMask.
“The culprits are exploiting cost-free hosting services like Gitbook and Webflow to create lure platforms on crypto wallet typo subdomains,” as stated by Symantec, a subsidiary of Broadcom. “These platforms entice unsuspecting individuals with details regarding cryptocurrency wallets and download links that, in reality, direct to malicious URLs.”
These URLs act as a channel for redirecting users, a tactic known as traffic distribution system (TDS), guiding them either to phishing content or to benign webpages if the system perceives the visitor as a security specialist.
A number of phishing endeavors have been masked as legitimate governmental organizations in countries like India and the United States, rerouting individuals to deceptive domains that harvest sensitive information. These details could then be exploited in future schemes involving additional scams, propagation of phishing emails, dissemination of false information, or distribution of malware.
Several incidents have highlighted the misuse of Microsoft’s Dynamics 365 Marketing platform to fabricate subdomains and send phishing emails, effectively bypassing email filters. These campaigns have been dubbed under the moniker Uncle Scam due to the deceptive nature of the emails impersonating the U.S. General Services Administration (GSA).
Exploiting social engineering tactics, scammers have exploited the craze around generative artificial intelligence (AI) by setting up fraudulent domains resembling OpenAI ChatGPT to facilitate dubious and harmful actions including phishing, grayware, ransomware, and command-and-control (C2).
“Surprisingly, more than 72% of the domains are associated with renowned GenAI applications by adding terms like gpt or chatgpt,” a recent analysis from Palo Alto Networks Unit 42 disclosed. “Out of all traffic directed towards these [newly registered domains], 35% was funneled towards suspicious domains.”
About Author
