HQ/EMEAFind out how we can help your business
Cybercriminals are using a new malware loader called UULoader to launch next-stage payloads. Based on reports, the malware strains this new loader deploys are the Mimikatz and Gh0st RAT.
Researchers revealed that hackers commonly spread this new malware through malicious installers for genuine programs aimed at Chinese and Korean users. However, the analysis of the malicious loader showed the existence of Chinese strings in program database (PDB) files within the DLL file, proving that the UULoader is a China-made malware despite targeting Chinese users.
The UULoader malware has a couple of principal executables stored in a cab file.
According to the investigation, the UULoader malware’s core files are stored in a Microsoft Cabinet archive (.cab), which includes two principal executables, an.exe and a.dll, with stripped file headers.
One of the executables is a legal binary prone to DLL sideloading, which is used to sideload the DLL file that eventually loads the final stage. This final stage is an obfuscated “XamlHost.sys” file containing remote access tools like the Gh0st RAT and the Mimikatz credential-stealing malware.
The MSI installation file also contains a Visual Basic Script (.vbs) that launches the executable, such as Realtek. Specific UULoader samples operate a decoy file as a diversion tactic.
A separate researcher also explains that this is typically what the.msi file pretends to be. For example, if it tries to bypass itself off as a ‘Chrome update,’ the decoy will be a valid Chrome update.
This incident is not the first time fake Google Chrome installers have resulted in the launching of the notorious Gh0st RAT. Last month, researchers described an attack chain targeting Chinese Windows users that used a phoney Google Chrome site to distribute the remote access trojan (RAT).
This finding comes as threat actors created thousands of cryptocurrency-themed lure sites for phishing operations against customers of well-known cryptocurrency wallet services such as MetaMask, Exodus, and Coinbase.
