An emerging malware variant known as UULoader is now being employed by cybercriminals to disseminate secondary payloads such as Gh0st RAT and Mimikatz.
According to the findings of the Cyberint Research Team, UULoader is being spread through malicious installers disguised as legitimate applications, with a specific focus on individuals who speak Korean and Chinese.
Evidence suggests that UULoader may be linked to a Chinese-speaking actor based on the presence of Chinese references within the program’s database (PDB) files that are embedded in the DLL file.
“UULoader’s ‘core’ components are stored in a Microsoft Cabinet archive (.cab) file, which consists of two primary executables (an .exe and a .dll) that have had their file header removed,” the organization stated in a technical report shared with The Hacker News.
One of the executables is a legitimate binary that can be exposed to DLL side-loading, a technique used to inject the DLL file to facilitate the launch of the final stage, an obfuscated file named “XamlHost.sys,” which typically houses remote access tools like Gh0st RAT or the Mimikatz credential stealer.
Contained within the MSI installer file is a Visual Basic Script (.vbs) that is responsible for initiating the executable – for example, Realtek – with some instances of UULoader samples also deploying a decoy file as a diversionary tactic.
“This typically corresponds to the facade assumed by the .msi file,” Cyberint explained. “For instance, if it pretends to be a ‘Chrome update,’ the decoy would be an authentic Chrome update.”
This is not the first instance where fake Google Chrome installers have been used to propagate Gh0st RAT. In a recent incident, eSentire revealed an attack chain aimed at Chinese Windows users, leveraging a counterfeit Google Chrome website to distribute the remote access trojan.
This development coincides with cyber threat actors setting up numerous fictitious cryptocurrency-themed websites to orchestrate phishing campaigns aimed at users of popular cryptocurrency wallet services such as Coinbase, Exodus, and MetaMask.
“These perpetrators are utilizing no-cost hosting services like Gitbook and Webflow to construct lure websites on subdomains related to crypto wallet typosquatting,” Broadcom-owned Symantec explained. “These websites attract potential victims with details on crypto wallets and download links that, in reality, direct them to malicious URLs.”
These URLs function as a traffic distribution system (TDS), redirecting users to phishing content or benign pages if the tool identifies the visitor as a security researcher.
Moreover, phishing campaigns have been impersonating legitimate government organizations in India and the U.S. to reroute users to counterfeit domains
Several of these attacks have exploited Microsoft’s Dynamics 365 Marketing platform to establish subdomains and dispatch phishing emails, enabling them to evade email filters. These activities have been labeled as Uncle Scam due to the emails’ impersonation of the U.S. General Services Administration (GSA). Furthermore, social engineering tactics have capitalized on the rise of generative artificial intelligence (AI) to create fraudulent domains resembling OpenAI ChatGPT, facilitating the propagation of suspicious and malicious practices like phishing, grayware, ransomware, and command-and-control (C2). “Surprisingly, more than 72% of these domains associate themselves with prominent GenAI applications by incorporating terms such as gpt or chatgpt,” Palo Alto Networks Unit 42 revealed
About Author
