A new type of malware called UULoader is used by threat actors to deliver next-stage payloads such as Gh0st RAT and Mimiket.
Cyberint, the research group that discovered the malware, said it was distributed as malicious installers for legitimate apps targeting Korean and Chinese speakers.
There is evidence that UULoader is the work of a Chinese native speaker due to the presence of Chinese lines in the program database (PDB) files embedded in the DLL file.
“UULoader’s ‘core’ files are contained in a Microsoft Cabinet archive (.cab) file that contains two core executables (.exe and .dll) with the file header removed,” the company said in a statement. said in a technical report shared with The Hacker News.
One of the executables is a legitimate DLL sideloading-susceptible binary used to sideload a DLL that eventually loads the final stage, an obfuscated file called “XamlHost.sys”, which is nothing more than like remote access tools like Gh0st RAT or Mimikatz harvester.
The MSI installer file contains a Visual Basic script (.vbs) that is responsible for running an executable – such as Realtek – with some UULoader samples that also run a decoy file as a distraction mechanism.
“This is usually what the .msi file claims to be,” Cyberint said. “For example, if it tries to disguise itself as a ‘Chrome update’, the decoy will actually be a legitimate Chrome update.”
This is not the first time that fake Google Chrome installers have led to the deployment of the Gh0st RAT. Last month, eSentire in detail chain of attacks targeting Chinese Windows users who used a spoofed Google Chrome site to spread a remote access Trojan.
This comes after threat actors were seen creating thousands of cryptocurrency-themed phishing sites that are used for phishing attacks targeting users of popular cryptocurrency wallet services such as Coinbase, Exodus, and MetaMask, among others.
“These actors use free hosting services such as Gitbook and Webflow to create attractive sites on cryptowallet typosquatter subdomains,” says Broadcom-owned Symantec. said. “These sites lure potential victims with information about crypto wallets and download links that actually lead to malicious URLs.”
These URLs serve as a traffic distribution system (TDS) redirect users to phishing content or to some harmless pages if the tool determines that the visitor is a security researcher.
There were also phishing campaigns masquerade as legitimate government entities in India and the US to which users may be redirected fake domains that collect sensitive information that can be used in future operations to further commit fraud, send phishing emails, spread disinformation/misinformation, or distribute malware.
Some of these attacks are notable for abusing Microsoft’s Dynamics 365 Marketing platform to create subdomains and send phishing emails, bypassing email filters. These attacks were given code names Uncle Afera due to these emails impersonating the US General Services Administration (GSA).
Social engineering efforts have further capitalized on the popularity of the generative artificial intelligence (AI) wave to create fraudulent domains that mimic OpenAI ChatGPT to spread suspicious and malicious activities, including phishing, grayware, ransomware, and control (C2) .
“Notably, more than 72% of domains associate themselves with popular GenAI programs by including keywords such as gpt or chatgpt,” Division 42 of Palo Alto Networks. said in last month’s analysis. “Among all traffic to these (newly registered domains), 35% was directed to suspicious domains.”
