Friend
Professional
- Messages
- 2,653
- Reaction score
- 863
- Points
- 113
Hackers disguise the malware as legitimate applications for invisible compromise.
The new malicious software UULoader is actively used by hackers to deliver dangerous programs such as the Gh0st RAT and Mimikatz. Discovered by researchers at Cyberint, this malware is being distributed through fake installation files of legitimate applications that target users who speak Korean and Chinese.
The researchers note that UULoader was probably created by a native Chinese speaker. This is evidenced by the presence of Chinese strings in the Program Database (PDB) files embedded in the DLL file.
The main feature of UULoader is that its key files are in the Microsoft Cabinet (.cab) archive. The archive contains two executable files (.exe и.dll) with the file headers removed. One of these files is legitimate but vulnerable to the DLL Sideloading method, which allows the loading of a DLL file that triggers the final stage of the attack.
The final step is to download a disguised file "XamlHost.sys", which is actually a remote access tool. At the discretion of the hackers, such a tool can be either the Gh0st RAT or Mimikatz.
Inside the installation MSI file, there is also Visual Basic Script (.vbs), which runs an executable file, for example, from Realtek. Some UULoader samples also use a decoy file to distract the victim's attention. For example, if the malware pretends to be an update for Google Chrome, then this file will be a real update for Chrome.
It should be noted that earlier fake Google Chrome installation files have been used more than once to distribute the Gh0st RAT. Last month, eSentire reported an attack targeting Chinese Windows users using a fake Google Chrome site.
The malicious campaign to distribute UULoader and similar malware clearly demonstrates how cybercriminals continue to improve their deception methods by using legitimate programs to stealthily distribute malware. It is extremely important to be vigilant when downloading and installing programs, especially from unverified sources, since even familiar applications can become hackers' tools for data theft and other attacks.
Source
The new malicious software UULoader is actively used by hackers to deliver dangerous programs such as the Gh0st RAT and Mimikatz. Discovered by researchers at Cyberint, this malware is being distributed through fake installation files of legitimate applications that target users who speak Korean and Chinese.
The researchers note that UULoader was probably created by a native Chinese speaker. This is evidenced by the presence of Chinese strings in the Program Database (PDB) files embedded in the DLL file.
The main feature of UULoader is that its key files are in the Microsoft Cabinet (.cab) archive. The archive contains two executable files (.exe и.dll) with the file headers removed. One of these files is legitimate but vulnerable to the DLL Sideloading method, which allows the loading of a DLL file that triggers the final stage of the attack.
The final step is to download a disguised file "XamlHost.sys", which is actually a remote access tool. At the discretion of the hackers, such a tool can be either the Gh0st RAT or Mimikatz.
Inside the installation MSI file, there is also Visual Basic Script (.vbs), which runs an executable file, for example, from Realtek. Some UULoader samples also use a decoy file to distract the victim's attention. For example, if the malware pretends to be an update for Google Chrome, then this file will be a real update for Chrome.
It should be noted that earlier fake Google Chrome installation files have been used more than once to distribute the Gh0st RAT. Last month, eSentire reported an attack targeting Chinese Windows users using a fake Google Chrome site.
The malicious campaign to distribute UULoader and similar malware clearly demonstrates how cybercriminals continue to improve their deception methods by using legitimate programs to stealthily distribute malware. It is extremely important to be vigilant when downloading and installing programs, especially from unverified sources, since even familiar applications can become hackers' tools for data theft and other attacks.
Source
