Recently, the cybersecurity research teamCyberintA specific variant of malicious installation program has been discovered to be widely used,Furthermore, illegal activities such as information dissemination, theft of secrets, fraud, deployment of malicious software, and theft of cryptocurrency are carried out. And withChina and South KoreaThe user ismainGoal.

CybeintWe are a company dedicated to network security and threat intelligence, committed to using advanced technology and solutions to help customers detect and mitigate external network threats in advance, thereby reducing security risks. The platform's patented technology continuously discovers and develops attack surfaces, combined with automatic collection and analysis of a large amount of intelligence from the open, deep, and dark web,protectcustomerProtect from external risks, including vulnerabilities, misconfigurations, phishing, impersonation attacks, malware infections, exposed credentials, data breaches, fraud, and third-party risksetc..

CyberintChief Executive Officer and Chief Financial Officer

first,CyberintThe team noticed malicious intent.msiThe usage of files has increased，Windowserection sequence(.msifile）It is a known carrier for the spread of malicious software，Although not common, they have been used by threat actors to spread various malicious software. In various samples,CyberintThe team has noticed that a specific variant of malicious installation program is being widely used, disguised as a legitimate application or updating installation program, targeting Korean and Chinese users. But most security providers failed to detect the loading program upon initial discovery.

CyberintThe team named the malicious installation program asUULoader，UULoaderBy disguising as legitimate or commonly used applications, as well as using bait files and other means, users are deceived into downloading and executing malicious software.Used by hackers to deliver subsequent malicious payloads, such asGh0st RATandMimikatzSuch tools are used to carry out illegal activities such as information dissemination, theft, fraud, placement of malicious software, and theft of cryptocurrency. attackAttackers may use free hosting services to build phishing websites, impersonate well-known encrypted wallet services or other trusted institutions, and induce users to click on malicious links. It is also possible to abuse MicrosoftDynamics 365 MarketingLegitimate tools such as platforms bypass conventional email filtering mechanisms by creating subdomains and sending phishing emails.With the widespread application of generative artificial intelligence, social engineering attacks have also begun to take advantage of this trend by setting up disguisesOpenAI ChatGPTThe fraudulent domain name is used for malicious activities such as phishing, grey software, and ransomware.

UULoaderNew type of malicious software

UULoaderAdopting a simple yet effective primary mechanism to evade static detection——File header stripping. By deleting (or“be stripped”）The first few bytes of the file can completely evade classification.UULoaderof“core”The files are usually in Microsoft Cabinet format(.cab)Format distribution, files in this formatWindowsIt is relatively common in the system, therefore it has a certain degree of concealment. Internally contains two core executable files: one（.exe）Files and one（.dll）File. The file headers of these files have been stripped, making it difficult for traditional detection tools to identify their malicious nature.

The main technical characteristics adopted by this malicious program software areUsing legitimate binary filesDLLSide loading, the final loaded file name is“XamlHost.sys”This is a confusing document,actuallyyesRemote Access Tool(RAT)orMimikatzCredential thief. In the installation filestillcontainVisual Basicscript(.vbs)Responsible for initiatingRealtekWait for legal executable files to increase confusion effects. Some samples will also run bait files as a obfuscation strategy.

UULoaderAs a new type of malware, its attack methods against Chinese and Korean users are diverse and complex. Therefore, users and businesses need to remain highly vigilant and take effective preventive measures to address this threat. Faced with increasingly complex overseas cyber attacks, businesses and individualsallneedwantRaise vigilance and strengthen safety awareness，Raise awareness of network security and avoid clicking on links from unknown sources or downloading software from unknown sources. Use security software，Install and regularly update antivirus software and firewalls to ensure system security. Handle personal information with caution，Do not disclose personal sensitive information such as bank accounts, passwords, etc. on the internet at will.andPay attention to safety information，Stay up-to-date with news and information related to cybersecurity, and stay informed about the latest network threats and preventive measures.