New UULoader Attacking Users Via Weaponized PDF Documents

Malicious .msi installers disguised as expert instrument actively purpose Korean and Chinese speakers by dubbing UULoader, own a loader likely developed by a Chinese speaker, and evade detection by most safety alternatives.

The malware employs DLL facet-loading to diagram obfuscated payloads, doubtlessly delivering far flung bag admission to trojans or credential stealers.

UULoader basically evades static detection by stripping file headers from its core substances, that are most often the initial bytes of a file, and identifying file kinds for capabilities and the working gadget.

By eliminating these identifiers, UULoader’s executables, stored within a .cab archive, become unrecognizable to static prognosis tools, hindering classification and detection and allowing the malware to masquerade as innocent recordsdata, evading scrutiny till execution.

It employs a layered obfuscation technique by packaging a stripped, expert Realtek executable as an aspect-loader for any other stripped DLL.

A intently obfuscated payload, destined for “XamlHost.sys,” resides within the .cab file alongside two tiny recordsdata containing “M” and “Z” characters, that are employed to repair the stripped headers of the aforementioned executable and DLL all the very top way via UULoader’s execution, evading detection mechanisms.

Particular UULoader samples employ a deception tactic by at the side of a sound decoy file alongside malicious substances, which most often mirror the .msi file’s purported function and function to divert particular person consideration from noxious actions.

For example, a “Chrome update” cover may perchance own an authentic Chrome updater to cloak malicious operations, while UULoader leverages an .msi CustomAction to place a “Microsoft Bellow” directory in C:Program Files (x86).

Therefore, it extracts and renames recordsdata from an embedded .cab, at the side of a re-headered executable and DLL, and deploys an obfuscated remaining payload.

Similtaneously, a .vbs script executes, excluding the newly created directory from Home windows Defender protection.

The script additional processes extracted recordsdata and launches a sound “facet loader” to invoke the UULoader DLL, which in flip hundreds the obfuscated payload and initiates a decoy application.

The .vbs script employs obfuscation ways by incorporating beside the purpose arithmetic calculations to obscure malicious code within a apparently expert script.

To additional evade detection, the script excludes itself from Defender scans. It within the crash deploys and executes UULoader, a instrument designed to issue payloads like Gh0stRat and Mimikatz, indicating a doable possibility of far flung bag admission to and credential theft from actors presumably of Chinese foundation.

UULoader makes use of a elaborate, multi-part payload beginning mechanism that effectively circumvents static detection tools, which is evidenced by its exceptionally low initial detection rates on VirusTotal.

Constant with Cyberint, although it has now not been obvious who exactly is liable for UULoader, the characteristics of the malware trace a conceivable foundation in China.