Novel UULoader Malicious Software Spreads Gh0st RAT and Mimikatz across East Asia
A fresh variety of malicious software known as UULoader is actively being utilized by threat actors to disseminate subsequent payloads such as Gh0st RAT and Mimikatz.
Cyberint Research Team, the group that unearthed this malware, has revealed that it is circulated through deceptive installers for authentic applications that aim at Korean and Chinese speaking individuals.
Evidence strongly suggests that UULoader originates from a Chinese speaker due to the inclusion of Chinese elements in the embedded program database (PDB) files within the DLL file.
“UULoader’s primary files are stored in a Microsoft Cabinet archive (.cab) file that encompasses two key executables (an .exe and a .dll) stripped of their file header,” the firm mentioned in a detailed report shared with The Hacker News.
One of the executables is a bona fide binary that is vulnerable to DLL side-loading, a technique employed to load the DLL file that in turn triggers the final phase, an obfuscated file named “XamlHost.sys” containing remote access utilities like Gh0st RAT or the Mimikatz credential interceptor.
Contained within the MSI installer file is a Visual Basic Script (.vbs) responsible for initiating the executable – for instance, Realtek – with certain UULoader instances also executing a dummy file as a diversionary tactic.
“Typically reflecting what the .msi file claims to be,” Cyberint stated. “For example, if it masquerades as a ‘Chrome update,’ the decoy will be a veritable legitimate update for Chrome.”
Instances of bogus Google Chrome installers leading to the proliferation of Gh0st RAT have previously been reported. Last month, eSentire outlined an attack chain focused on Chinese Windows users using a fabricated Google Chrome site to propagate the remote access trojan.
This development coincides with the observation of threat actors creating numerous lure sites related to cryptocurrency aimed at phishing unsuspecting users of popular cryptocurrency wallet services such as Coinbase, Exodus, and MetaMask, to name a few.
“These malicious actors are resorting to free hosting services such as Gitbook and Webflow to establish lure sites on crypto wallet typo subdomains,” Symantec, owned by Broadcom, stated. “These sites attract potential victims with crypto wallet information and download links that lead to malicious URLs.”
These URLs operate as a traffic dispersion system (TDS) redirecting users either to phishing content or benign pages in case the system identifies the visitor as a security researcher.
Phishing campaigns have also been pretending to be legitimate government entities in India and the U.S. with the aim of rerouting users to fraudulent domains that gather sensitive data for future exploitation in additional scams, phishing email dissemination, spreading of disinformation/misinformation, or dispensing of malware.
Several of these attacks have been significant due to the misuse of Microsoft’s Dynamics 365 Marketing platform for creating subdomains and sending phishing emails, thus successfully bypassing email filters. These attacks have been dubbed as Uncle Scam since these emails impersonate the U.S. General Services Administration (GSA).
Social engineering endeavors have taken advantage of the rising trend in generative artificial intelligence (AI) to establish fraudulent domains resembling OpenAI ChatGPT to proliferate questionable and malicious operations, including phishing, grayware, ransomware, and command-and-control (C2).
“Incredibly, more than 72% of the domains attempt to associate with popular GenAI applications through keywords like gpt or chatgpt,” Palo Alto Networks Unit 42 stated in an analysis released last month. “Out of all visits to these [newly registered domains], 35% were directed to suspicious domains.”
About Author
