Skip to content

New UULoader malware exploited to deliver next-stage payloads

  • by
  • 2 min read

Cybercriminals are using a new type of malicious installer, UULoader, to distribute final-stage payloads such as Gh0st RAT and Mimikatz. Chinese strings in the program database files indicate that it may be the work of a Chinese-speaking individual.

The malware’s core files are located in a Microsoft Cabinet archive (.cab) file consisting of two primary executable files (.exe and .dll) with their file header removed to evade static detection. Following the discovery of the malicious installer, the Cyberint Research Team said that it is being used as an installer for legitimate applications or update installers targeting Korean and Chinese speakers.

Out of the two executable files, one is a legitimate binary, susceptible to DLL side-loading, used to load an obfuscate file named, “XamlHost.sys.” The obfuscate file mainly contains remote access tools such as Gh0st RAT and credential harvesters such as Mimikatz.

A Visual Basic Script (.vbs) in the installer file (.msi) launches the executable, while UULoader samples run a decoy file, which acts as a diversion. A decoy file is usually a legitimate software or update that the .msi file pretends to be.

For example, if it is disguised as a Chrome installer, the decoy legitimately installs Chrome while it executes the malware delivery process. Threat actors such as Void Arachne have previously used this strategy to pose as AI tools, installers, and VPNs.

“A noteworthy point about the .vbs script is the presence of various “junk” actions (primarily arithmetic calculations) which serve no purpose themselves but are intended to “inflate” the script and conceal its malicious features by “out weighting” them with legitimate appearing junk when scanned by security products,” said Cyberint.

The malware uses a creative, multi-stage approach to deliver payloads while evading static detection, as noted by low detection rates on VirusTotal performed by the research team. While it is yet to be associated with a particular threat actor or group, they are likely to be a Chinese speaker due to the Chinese strings present.

In the News: Google to stop bug bounties for Android app vulnerabilities

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>