Security News > 2024 > August > New UULoader Malware Distributes Gh0st RAT and Mimikatz in East Asia

New UULoader Malware Distributes Gh0st RAT and Mimikatz in East Asia
2024-08-19 13:06

A new type of malware called UULoader is being used by threat actors to deliver next-stage payloads like Gh0st RAT and Mimikatz.

There is evidence pointing to UULoader being the work of a Chinese speaker due to the presence of Chinese strings in program database files embedded within the DLL file.

"UULoader's 'core' files are contained in a Microsoft Cabinet archive file which contains two primary executables which have had their file header stripped," the company said in a technical report shared with The Hacker News.

One of the executables is a legitimate binary that's susceptible to DLL side-loading, which is used to sideload the DLL file that ultimately loads the final stage, an obfuscate file named "XamlHost.sys" that's nothing but remote access tools such as Gh0st RAT or the Mimikatz credential harvester.

Present within the MSI installer file is a Visual Basic Script that's responsible for launching the executable - e.g., Realtek - with some UULoader samples also running a decoy file as a distraction mechanism.

Phishing campaigns have also been masquerading as legitimate government entities in India and the U.S. to redirect users to phony domains that collect sensitive information, which can be leveraged in future operations for further scams, sending phishing emails, spreading disinformation/misinformation, or distributing malware.


News URL

https://thehackernews.com/2024/08/new-uuloader-malware-distributes-gh0st.html