New UULoader Malware Distributes Gh0st RAT and Mimikatz in East Asia

Aug 19, 2024Ravie LakshmananMenace Intelligence / Cryptocurrency

A brand new kind of malware known as UULoader is being utilized by menace actors to ship next-stage payloads like Gh0st RAT and Mimikatz.

The Cyberint Analysis Workforce, which found the malware, stated it is distributed within the type of malicious installers for professional functions concentrating on Korean and Chinese language audio system.

There may be proof pointing to UULoader being the work of a Chinese language speaker as a result of presence of Chinese language strings in program database (PDB) information embedded throughout the DLL file.

“UULoader’s ‘core’ files are contained in a Microsoft Cabinet archive (.cab) file which contains two primary executables (an .exe and a .dll) which have had their file header stripped,” the corporate stated in a technical report shared with The Hacker Information.

Cybersecurity

One of many executables is a professional binary that is prone to DLL side-loading, which is used to sideload the DLL file that finally masses the ultimate stage, an obfuscate file named “XamlHost.sys” that is nothing however distant entry instruments equivalent to Gh0st RAT or the Mimikatz credential harvester.

Current throughout the MSI installer file is a Visible Primary Script (.vbs) that is answerable for launching the executable – e.g., Realtek – with some UULoader samples additionally operating a decoy file as a distraction mechanism.

“This usually corresponds to what the .msi file is pretending to be,” Cyberint stated. “For example, if it tries to disguise itself as a ‘Chrome update,’ the decoy will be an actual legitimate update for Chrome.”

This isn’t the primary time bogus Google Chrome installers have led to the deployment of Gh0st RAT. Final month, eSentire detailed an assault chain concentrating on Chinese language Home windows customers that employed a pretend Google Chrome website to disseminate the distant entry trojan.

The event comes as menace actors have been noticed creating 1000’s of cryptocurrency-themed lure websites used for phishing assaults that concentrate on customers of standard cryptocurrency pockets providers like Coinbase, Exodus, and MetaMask, amongst others.

UULoader Malware

“These actors are using free hosting services such as Gitbook and Webflow to create lure sites on crypto wallet typosquatter subdomains,” Broadcom-owned Symantec stated. “These sites lure potential victims with information about crypto wallets and download links that actually lead to malicious URLs.”

These URLs function a visitors distribution system (TDS) redirecting customers to phishing content material or to some innocuous pages if the device determines the customer to be a safety researcher.

Phishing campaigns have additionally been masquerading as professional authorities entities in India and the U.S. to redirect customers to phony domains that gather delicate data, which might be leveraged in future operations for additional scams, sending phishing emails, spreading disinformation/misinformation, or distributing malware.

Cybersecurity

A few of these assaults are noteworthy for the abuse of Microsoft’s Dynamics 365 Advertising and marketing platform to create subdomains and ship phishing emails, thereby slipping by e-mail filters. These assaults have been codenamed Uncle Rip-off owing to the truth that these emails impersonate the U.S. Basic Providers Administration (GSA).

Social engineering efforts have additional cashed in on the recognition of the generative synthetic intelligence (AI) wave to arrange rip-off domains mimicking OpenAI ChatGPT to proliferate suspicious and malicious exercise, together with phishing, grayware, ransomware, and command-and-control (C2).

“Remarkably, over 72% of the domains associate themselves with popular GenAI applications by including keywords like gpt or chatgpt,” Palo Alto Networks Unit 42 stated in an evaluation final month. “Among all traffic toward these [newly registered domains], 35% was directed toward suspicious domains.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.

Recent articles