Researchers from Cyberint have discovered a new malicious software called UULoader that is being actively used by hackers to distribute dangerous programs such as GH0ST RAT and MIMIKATZ. The malicious program, found to be distributed through fake installation files of legitimate applications, is primarily targeting users who speak Korean and Chinese.
It is believed by researchers that the UULoader was most likely created by a native Chinese speaker, as Chinese lines were found in the program’s database (PDB) files built into the DLL file.
The key feature of UULoader is that its main files are stored in a Microsoft Cabinet (.cab) archive, which contains two executable files (.exe and .dll) with no file headers. While one of these files is legitimate, it is vulnerable to the Dll Sideloading method, allowing the download of the DLL file that initiates the final stage of the attack.
During the final stage of the attack, a disguised file named “Xamlhost.sys” is downloaded, which is actually a remote access tool. This tool can be either GH0ST RAT or Mimikatz, depending on the hackers’ discretion.
The UULoader installation MSI file also includes a Visual Basic Script (.VBS) that runs the executable file, such as one from Realtek. In some ULoader samples, a dump file is used to divert the victim’s attention. For example, if the malicious program disguises itself as a Google Chrome update, the file presented will appear to be a legitimate Chrome update.
Previous instances have shown that GH0ST RAT has been distributed through fake Google Chrome interfaces. Esentire recently reported an attack targeting Chinese Windows users, where a fake Google Chrome site was utilized.
The distribution campaign of UULOADER and similar malicious programs highlights how cybercriminals are constantly evolving their methods of deception by using legitimate programs to secretly distribute harmful software. It is crucial to remain vigilant when downloading and installing programs, especially from unverified sources, as even familiar applications can be manipulated by hackers to steal data and launch attacks.