New UULoader Malware Distributes Gh0st RAT and Mimikatz in East Asia

0

A new type of malware called UULoader is being used by threat actors to deliver next-stage payloads like Gh0st RAT and Mimikatz.

The Cyberint Research Team, which discovered the malware, said it’s distributed in the form of malicious installers for legitimate applications targeting Korean and Chinese speakers.

There is evidence pointing to UULoader being the work of a Chinese speaker due to the presence of Chinese strings in program database (PDB) files embedded within the DLL file.

“UULoader’s ‘core’ files are contained in a Microsoft Cabinet archive (.cab) file which contains two primary executables (an .exe and a .dll) which have had their file header stripped,” the company said in a technical report shared with The Hacker News.

One of the executables is a legitimate binary that’s susceptible to DLL side-loading, which is used to sideload the DLL file that ultimately loads the final stage, an obfuscate file named “XamlHost.sys” that’s nothing but remote access tools such as Gh0st RAT or the Mimikatz credential harvester.

Present within the MSI installer file is a Visual Basic Script (.vbs) that’s responsible for launching the executable – e.g., Realtek – with some UULoader samples also running a decoy file as a distraction mechanism.

“This usually corresponds to what the .msi file is pretending to be,” Cyberint said. “For example, if it tries to disguise itself as a ‘Chrome update,’ the decoy will be an actual legitimate update for Chrome.”

This is not the first time bogus Google Chrome installers have led to the deployment of Gh0st RAT. Last month, eSentire detailed an attack chain targeting Chinese Windows users that employed a fake Google Chrome site to disseminate the remote access trojan.

The development comes as threat actors have been observed creating thousands of cryptocurrency-themed lure sites used for phishing attacks that target users of popular cryptocurrency wallet services like Coinbase, Exodus, and MetaMask, among others.

“These actors are using free hosting services such as Gitbook and Webflow to create lure sites on crypto wallet typosquatter subdomains,” Broadcom-owned Symantec said. “These sites lure potential victims with information about crypto wallets and download links that actually lead to malicious URLs.”

These URLs serve as a traffic distribution system (TDS) redirecting users to phishing content or to some innocuous pages if the tool determines the visitor to be a security researcher.

Phishing campaigns have also been masquerading as legitimate government entities in India and the U.S. to redirect users to phony domains that collect sensitive information, which can be leveraged in future operations for further scams, sending phishing emails, spreading disinformation/misinformation, or distributing malware.

Some of these attacks are noteworthy for the abuse of Microsoft’s Dynamics 365 Marketing platform to create subdomains and send phishing emails, thereby slipping through email filters. These attacks have been codenamed Uncle Scam owing to the fact that these emails impersonate the U.S. General Services Administration (GSA).

Social engineering efforts have further cashed in on the popularity of the generative artificial intelligence (AI) wave to set up scam domains mimicking OpenAI ChatGPT to proliferate suspicious and malicious activity, including phishing, grayware, ransomware, and command-and-control (C2).

“Remarkably, over 72% of the domains associate themselves with popular GenAI applications by including keywords like gpt or chatgpt,” Palo Alto Networks Unit 42 said in an analysis last month. “Among all traffic toward these [newly registered domains], 35% was directed toward suspicious domains.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here