A newly identified malware, UULoader, is being exploited by threat actors to deliver advanced payloads such as Gh0st RAT and Mimikatz. Discovered by the Cyberint Research Team, UULoader is distributed through malicious installers for legitimate applications, specifically targeting Korean and Chinese speakers. The malware's origin is suspected to be linked to Chinese-speaking individuals, as evidenced by Chinese text found in the program database (PDB) files within the DLL.
According to Cyberint, UULoader’s core components are housed in a Microsoft Cabinet (.cab) file, which includes two main executables—an .exe and a .dll—both of which have had their file headers removed. One executable is a genuine binary vulnerable to DLL side-loading, used to load the DLL file that ultimately deploys a hidden stage named "XamlHost.sys." This stage is a cover for remote access tools like Gh0st RAT or Mimikatz.
The MSI installer file includes a Visual Basic Script (.vbs) that launches the executable, often disguising itself as a legitimate application update, such as for Chrome, with some variants also deploying a decoy file to mislead users. This tactic of using fake Google Chrome installers to spread Gh0st RAT is not new. Recently, eSentire reported a similar attack targeting Chinese Windows users through a counterfeit Chrome update site.
Meanwhile, threat actors are creating numerous cryptocurrency-themed phishing sites to deceive users of popular wallets like Coinbase, Exodus, and MetaMask. These lure sites, often hosted on free services like Gitbook and Webflow, trick users with information about crypto wallets and malicious download links.
Phishing campaigns have also been seen imitating legitimate government agencies in India and the U.S., redirecting users to fraudulent domains that gather sensitive information for future scams, including phishing, disinformation, and malware distribution. Notably, some attacks have abused Microsoft’s Dynamics 365 Marketing platform to generate subdomains and send phishing emails, bypassing email filters. These operations, dubbed Uncle Scam, impersonate U.S. General Services Administration (GSA) to trick victims.
Additionally, social engineering schemes have capitalized on the popularity of generative AI to create scam domains mimicking OpenAI's ChatGPT. Over 72% of these domains include keywords like "gpt" or "chatgpt," with 35% of the traffic directed towards suspicious sites, according to Palo Alto Networks Unit 42.
References -
Related Posts
