UULoader Malware

Cybercriminals are using a new strain of malware known as UULoader to deliver subsequent harmful payloads. According to the researchers who identified this malware, it is spread through corrupted installers posing as legitimate applications, primarily targeting Korean and Chinese speakers. Indicators suggest that UULoader may have been developed by a Chinese speaker, as Chinese strings have been found in the program database (PDB) files embedded within the DLL file. This malware is being leveraged to deploy post-compromise threats, such as the Gh0st RAT and Mimikatz.

UULoader's core components are packaged within a Microsoft Cabinet (.cab) archive, containing two main executables (an .exe and a .dll) that have had their file headers removed.

Threat Actors Utilize UULoader to Deliver Additional Malware

One of the executables is a legitimate binary vulnerable to DLL side-loading, which is exploited to load a DLL file. This DLL ultimately triggers the final stage: an obfuscated file named 'XamlHost.sys' that contains remote access tools such as Gh0st RAT or the Mimikatz credential harvester.

The MSI installer file also includes a Visual Basic Script (.vbs) that launches the executable—such as Realtek—and in some UULoader samples, a decoy file is run to divert attention. This decoy typically aligns with what the .msi file claims to be. For instance, if the installer masquerades as a 'Chrome update,' the decoy will be a genuine Chrome update.

This isn't the first time fake Google Chrome installers have been used to deploy Gh0st RAT. Last month, eSentire reported an attack chain targeting Chinese Windows users, using a fake Google Chrome site to distribute the remote access trojan.

Fraudsters and Cybercriminals Ramp Up the Usage of Crypto-Themed Lures

Threat actors have recently been observed creating thousands of cryptocurrency-themed phishing sites targeting users of popular crypto-wallet services like Coinbase, Exodus, and MetaMask.

These ill-minded actors are leveraging free hosting platforms such as Gitbook and Webflow to set up lure sites on crypto wallet typosquatter subdomains. These deceptive sites attract victims with information about crypto-wallets and download links that lead to fraudulent URLs.

These URLs function as a traffic distribution system (TDS), redirecting users either to phishing content or, if the tool identifies the visitor as a security researcher, to harmless pages.

Additionally, phishing campaigns are also posing as legitimate government entities in India and the U.S., redirecting users to fake domains designed to harvest sensitive information. This stolen data can then be used for future scams, phishing emails, spreading misinformation or distributing malware.

AI Buzz also Exploited in Misleading Campaigns

Social engineering tactics have capitalized on the surge in generative artificial intelligence (AI) to create misleading domains that imitate OpenAI ChatGPT, facilitating various unsafe activities such as phishing, grayware, ransomware, and Command-and-Control (C2) operations.

A significant number of these domains exploit the popularity of generative AI by incorporating keywords like 'GPT' or 'ChatGPT.' Notably, over a third of the traffic to these newly registered domains has been directed toward suspicious sites.