HUI Loader

A malware threat that has been used in attack campaigns for years, has now been connected to the activities of Chinse-backed APT (Advanced Persistence Threat) groups. The malware known as the HUI Loader was first identified back in 2015, but the links to several state-sponsored hacker groups have been confirmed only recently. Details about the threat and the threat actors that use it as part of their threatening toolkit were revealed in a report by the Secureworks Counter Threat Unit (CTU).

The HUI Loader is deployed in the initial stages of the infection and is tasked with the delivery and execution of next-stage payloads. The threat is likely delivered to the targeted systems via legitimate programs that were subjected to a technique known as DLL search order hijacking.' Once established and running in memory, the HUI Loader has been observed to load various RAT (Remote Access Trojans) including SodaMaster, Cobalt Strike, PlugX and QuasarRAT.

The researchers at CTU caught the HUI Loader being part of attack campaigns against Japanese entities, but they presume that European and U.S. organizations also could be targeted. One of the clusters of activities is attributed to the A41APT. The attackers were likely interested in collecting intellectual property and relied on the HUI Loader for the delivery of the SodaMaster RAT. The other campaign observed by the cybersecurity experts is believed to be by the BRONZE STARLIGHT. In this case, the hackers also dropped ransomware threats on the breached devices, likely as a way to hide their true goal of collecting sensitive data from the victims.