A recently discovered type of malware, dubbed UULoader, has been exploited by threat actors to distribute subsequent payload variants, including loaders and droppers.
The Cyberint Analysis Workforce identified the malware, noting its distribution via malicious installers masquerading as authentic software, specifically targeting Korean and Chinese-speaking users.
Evidence suggests that UULoader might have been developed by a Chinese speaker due to the occurrence of Chinese language strings within the program database (PDB) data embedded within the DLL file, which could imply a non-English speaking developer was involved in its creation.
The UULoader’s core functionality is stored within a Microsoft Cabinet (.cab) archive, comprising two primary executable files – an .exe and a .dll – whose file headers have been removed.
One executable among many contains a vulnerable DLL side-loading attack vector, which ultimately loads an obfuscated file called “XamlHost.sys” – a malicious payload similar to Gh0st RAT or Mimikatz, allowing for unauthorized remote access and credential harvesting.
Inside the MSI installer file, a visible primary script (.vbs) exists, responsible for launching the executable, such as Realtek, while also executing UULoader samples and creating a decoy file to act as a distraction mechanism.
“Cyberint notes that this frequently aligns with the .msi file’s claimed identity.” “For illustration, if it attempts to masquerade as a ‘Chrome replacement,’ the decoy should be an exact, authentic replica of Chrome.”
This isn’t the first instance where malicious Google Chrome installers have resulted in the distribution of Gh0st Remote Access Trojan (RAT). In February, cybersecurity firm eSentire detected a sophisticated attack campaign targeting Chinese Windows users, which leveraged a fake Google Chrome website to distribute a remote access Trojan (RAT).
As cybercriminals continue to exploit vulnerabilities, thousands of cryptocurrency-themed websites are being created to facilitate phishing attacks targeting users of popular digital wallet services such as Coinbase, Exodus, and MetaMask, among others.
Hackers are leveraging free web hosting platforms like Gitbook and Webflow to develop deceitful websites on typo squatting domains associated with cryptocurrency wallets, according to Broadcom-owned Symantec. Phishing tactics exploit users’ curiosity by mimicking information on cryptocurrency storage, leading unsuspecting individuals to click on links that ultimately redirect them to fraudulent sites.
The provided URLs operate as a visitor distribution system, redirecting customers either to phishing content or innocuous pages, contingent on the device’s determination of the visitor being a security researcher.
Phishing scams have also masqueraded as authentic authority entities in both India and the United States. To reroute customers away from sharing sensitive information that could potentially be exploited in future schemes, fraudulent activities, or malicious attacks, thereby safeguarding their privacy and preventing the misuse of their data.
Noteworthy among these attacks is the exploitation of Microsoft’s Dynamics 365 Marketing platform to generate subdomains and dispatch phishing emails, allowing them to evade email filters with ease. These email-based attacks have been dubbed “spear phishing” due to their ability to convincingly impersonate legitimate U.S. entities? Normal Companies Administration (GSA).
As AI-generated chatter gains widespread attention, nefarious actors have leveraged this buzz to spin convincing counterfeit domains posing as OpenAI’s ChatGPT, thereby amplifying a plethora of harmful activities, including phishing, grayware, ransomware, and command-and-control (C2) exploits.
Notably, more than 72% of domains affiliated themselves with innovative GenAI capabilities by incorporating key phrases such as GPT or ChatGPT, according to a recent evaluation by Palo Alto Networks’ Unit 42. “A significant proportion of visitors to newly registered domains – a startling 35 percent – were actually diverted to suspect sites.”
