Attackers are using a new piece of malware called UULoader to spread sophisticated payloads like Mimikatz and Gh0st RAT.
Threat actors are employing a novel malware named UULoader to distribute advanced payloads such as Gh0st RAT and Mimikatz. The malware was found by the Cyberint Research Team, who also noted that it targets Chinese and Korean languages and is disseminated as malicious installers for programs that seem legitimate. Chinese strings found in program database (PDB) files included within the DLL file provide evidence that UULoader was created by a Chinese speaker. “UULoader’s ‘core’ files are contained in a Microsoft Cabinet archive (.cab) file that contains two primary executables (an.exe and a.dll) that have had their file header stripped,” the business stated in a technical study.
A legitimate binary is one of the executables that can be loaded using DLL side-loading, which loads the DLL file that loads the last stage, an obfuscate file called “XamlHost.sys” that’s nothing more than remote access tools like the Mimikatz credential harvester or the Gh0st RAT. A Visual Basic Script (.vbs) is present in the MSI installer file and is responsible for launching the executable, such as Realtek, with some UULoader samples also running a decoy file as a distraction mechanism. “This usually corresponds to what the.msi file is pretending to be,” according to Cyberint, “for example, if it tries to disguise itself as a ‘Chrome update.”
The Gh0st RAT has been deployed before as a result of fraudulent Google Chrome installers. A phony Google Chrome website was used by an attack chain targeting Chinese Windows users to spread a remote access trojan, as reported by eSentire last month. The finding coincides with the discovery that malicious actors have been seen building hundreds of lure websites with cryptocurrency themes in an attempt to trick users of well-known cryptocurrency wallet services like Coinbase, Exodus, and MetaMask, among others, through phishing scams.
According to Symantec, a division of Broadcom, “These actors are creating lure sites on crypto wallet typosquatter subdomains by using free hosting services like Gitbook and Webflow.” “These sites lure potential victims with information about crypto wallets and download links that actually lead to malicious URLs.” By using these URLs as a traffic distribution system (TDS), users are sent to either phishing content or harmless pages, depending on whether the tool detects the visitor as a security researcher. Phishing campaigns have also been disguising themselves as official government agencies in both India and the United States in order to divert users to shady websites that gather private data. This data can then be used in subsequent operations for phishing emails, malware distribution, disinformation campaigns, and other fraudulent activities.
A few of these assaults stand out due to the misuse of the Dynamics 365 Marketing platform from Microsoft, which was used to send phishing emails and generate subdomains that would bypass email filters. The fact that these emails pretend to be from the General Services Administration (GSA) of the United States has earned these attacks the moniker Uncle Scam. The popularity of the generative artificial intelligence (AI) wave has also been exploited by social engineering operations, which have set up scam domains that imitate OpenAI ChatGPT in order to spread malicious and suspicious behavior, such as ransomware, phishing, grayware, and command-and-control (C2). “Remarkably, over 72% of the domains associate themselves with popular GenAI applications by including keywords like gpt or chatgpt,” said Unit 42 of Palo Alto Networks.
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.