August 19, 2024Ravie LakshmananThreat Intelligence / Cryptocurrency
A new type of malware called UULoader is being used by threat actors to deliver next-stage payloads such as Gh0st RAT and Mimikatz.
According to the Cyberint research team that discovered the malware, it is distributed in the form of malicious installers for legitimate applications targeting Korean and Chinese speakers.
There is evidence that UULoader is Chinese-speaking, due to the presence of Chinese strings in the program database (PDB) file embedded within the DLL file.
“UULoader's 'core' files are stored in a Microsoft Cabinet Archive (.cab) file that contains two main executable files (.exe and .dll) with their file headers removed,” the company said in a technical report shared with The Hacker News.
One of the executables is a legitimate binary susceptible to DLL sideloading. It is used to sideload a DLL file that ultimately loads the final stage, which is an obfuscated file named “XamlHost.sys” and is none other than a remote access tool such as Gh0st RAT or Mimikatz credential harvester.
Within the MSI installer file there is a Visual Basic script (.vbs) that launches an executable (such as Realtek), and some UULoader samples also execute a decoy file as a diversion mechanism.
“This will usually match what the .msi file is disguised as,” Cyberint said. “For example, if the file is trying to pose as a 'Chrome update,' the disguised file is actually a legitimate update for Chrome.”
This isn't the first time a fake Google Chrome installer has led to the deployment of the Gh0st RAT: last month, eSentire detailed an attack chain targeting Windows users in China that used a fake Google Chrome site to spread a remote access trojan.
This development comes after threat actors were observed creating thousands of cryptocurrency-themed lure sites used in phishing attacks targeting users of popular cryptocurrency wallet services such as Coinbase, Exodus and MetaMask.
“These attackers use free hosting services such as Gitbook and Webflow to create decoy sites on subdomains of cryptocurrency wallet typosquatters,” said Symantec, a Broadcom subsidiary. “These sites lure potential victims with information about cryptocurrency wallets and download links that actually lead to malicious URLs.”
These URLs act as a Traffic Distribution System (TDS), redirecting users to phishing content or harmless pages if the tool determines that the visitor is a security researcher.
The phishing campaigns pose as legitimate government agencies in India and the US and redirect users to fake domains to collect sensitive information that can be used to commit further fraud in the future, send phishing emails, spread fake and misinformation, and distribute malware.
Notable among these attacks is the abuse of Microsoft's Dynamics 365 Marketing platform to create subdomains to send phishing emails to slip through email filters. These attacks have been code-named Uncle Scam, as the emails impersonate the U.S. General Services Administration (GSA).
Social engineering efforts are capitalizing on the popularity of the generative artificial intelligence (AI) wave by setting up fraudulent domains mimicking OpenAI ChatGPT to proliferate suspicious malicious activity, including phishing, greyware, ransomware, and command and control (C2).
“Surprisingly, over 72% of the domains are associated with the popular GenAI application by containing keywords such as gpt and chatgpt,” Palo Alto Networks' Unit 42 said in an analysis last month. “Of the total traffic to these (newly registered domains), 35% was directed to suspicious domains.”
Did you find this article interesting? Follow us Twitter: To read more exclusive content we post, check us out on LinkedIn.
Source link
