August 19, 2024Ravie LakshmananThreat Intelligence / Cryptocurrency

Attackers are using a new type of malware called UULoader to deliver next-stage payloads such as Gh0st RAT and Mimikatz.

The Cyberint Research Team, which discovered the malware, reports that it is being distributed in the form of malicious installers for legitimate applications targeting Korean- and Chinese-speaking users.

There are indications that UULoader is the work of a Chinese speaking user. This is evident from the presence of Chinese strings in program database (PDB) files included in the DLL file.

“The UULoader ‘core files’ are located within a Microsoft Cabinet archive (.cab) file that contains two primary executable files (an .exe and a .dll) with their file headers removed,” the company said in a technical report shared with The Hacker News.

One of the executables is a legitimate binary that is susceptible to DLL sideloading. This is used to sideload the DLL file that eventually loads the final stage, an obfuscated file named “XamlHost.sys” that is nothing more than remote access tools like Gh0st RAT or Mimikatz credential collector.

Inside the MSI installer file is a Visual Basic script (.vbs) that is responsible for launching the executable file, for example Realtek. Some UULoader samples also execute a decoy file.

“This usually matches what the .msi file pretends to be,” Cyberint said. “For example, if it tries to disguise itself as a ‘Chrome update,’ the decoy will actually be a legitimate update for Chrome.”

This isn’t the first time that fake Google Chrome installers have led to the deployment of the Gh0st RAT. Last month, eSentire described an attack chain targeting Chinese Windows users that used a fake Google Chrome site to spread the remote access trojan.

This development comes as malicious actors create thousands of cryptocurrency decoy websites that are used for phishing attacks, targeting users of popular cryptocurrency wallet services such as Coinbase, Exodus, and MetaMask.

“These actors are using free hosting services like Gitbook and Webflow to create decoy sites on crypto wallet typosquatter subdomains,” said Symantec, owned by Broadcom. “These sites lure potential victims with information about crypto wallets and download links that in fact lead to malicious URLs.”

These URLs act as a traffic distribution system (TDS) that redirects users to phishing content or to innocent pages if the tool determines that the visitor is a security researcher.

Phishing campaigns also impersonate legitimate government agencies in India and the US, redirecting users to fake domains that collect sensitive information. This information can be used in the future to conduct further scams, send phishing emails, spread disinformation or malware.

Some of these attacks are notable for abusing Microsoft’s Dynamics 365 Marketing platform to create subdomains and send phishing emails, allowing them to slip through email filters. These attacks have been codenamed Uncle Scam due to the fact that these emails impersonate the US General Services Administration (GSA).

Social engineering efforts have further capitalized on the popularity of generative artificial intelligence (AI) to set up fraudulent domains that mimic OpenAI ChatGPT and spread suspicious and malicious activities, including phishing, grayware, ransomware, and command-and-control (C2).

“Remarkably, over 72% of domains associated themselves with popular GenAI applications by including keywords like gpt or chatgpt,” Palo Alto Networks Unit 42 said in an analysis last month. “Of all traffic to these (newly registered domains), 35% was directed to suspicious domains.”