Cybersecurity researchers at Cyberint discovered a substantial rise in the use of harmful .msi files, which are Windows installers created with the intention of disseminating malware.
This method of attack, although not widely used, has shown to be quite effective. It involves a new malware delivery method called “UULoader” that has been specifically targeting Korean and Chinese speakers since July 2024.
UULoader disguises itself as genuine software or updates, deceiving users into unwittingly installing it. After being executed, the malware uses clever tactics to evade detection.
It works by removing the file headers, which are the identifying data at the beginning of files that help security software recognize file types.
This strategy enables the malware to bypass initial security scans, making it appear as harmless data instead of dangerous malware.
The UULoader's core files are concealed in a Microsoft Cabinet archive (.cab) that consists of two essential components: an executable file (.exe) and a dynamic link library file (.dll).
Both have their headers removed, which helps to avoid detection. Often, the stripped executable is a valid, outdated version of a Realtek file that serves as a “side-loader” for the malicious .dll. This file ultimately loads the final malware payload in a straightforward manner.
In addition, UULoader frequently includes a decoy file that appears legitimate, such as a software update for Chrome. This is done to divert users' attention from the malicious activity occurring in the background.
A multi-stage attack
The UULoader malware follows a series of stages once it is executed. It starts by creating a folder named “Microsoft Thunder” on the target's computer and then proceeds to install the harmful files.
In addition, a script is executed to include this folder in Windows Defender's exclusion list. This ensures that the security software will not detect the malware.
The malware relies on a side-loader technique, where a legitimate executable is deceived into loading a malicious .dll file. The UULoader usually delivers a remote access tool (RAT), like Gh0stRat, that grants attackers full control over the compromised system.
UULoader has been observed being used alongside other hacking tools, such as Mimikatz, which are commonly used for stealing credentials.
UULoader's attack stands out due to the usage of “junk” code in its scripts. These nonsensical actions, like arithmetic calculations, serve no practical function other than to increase the size of the script.
This technique aims to deceive security systems by concealing the malicious components of the script within seemingly harmless bloated code.
Likely origins and impact
Based on Cyberint's analysis, it appears that UULoader was created by someone who speaks Chinese due to how the code was written.
The researchers have not yet identified the specific threat actor responsible for the malware. However, the use of RATs like Gh0stRat, which is often associated with Chinese hackers, suggests a possible origin.
UULoader's capability of bypassing static detection methods has rendered it as a formidable threat. The initial submissions of the malware to VirusTotal, a popular malware scanning service, had a relatively low detection rate.
This suggests that the threat has managed to spread without being noticed, potentially impacting a large number of users before security vendors became aware.