Tech

An Analysis of Malware and Attack Techniques

by time news

Sandro Sana : August 20, 2024 09:33

In recent months, a new cyber threat has entered the global scene: a malware called UULoader. This sophisticated malware is raising significant concerns among security researchers, particularly due to its ability to distribute other powerful hacking tools such as Gh0st RAT e Mimickatz. Focusing primarily on East Asian users, UULoader is a worrying example of how cyberattacks are becoming increasingly subtle and difficult to detect. The malware is likely of Chinese origin, given the presence of Chinese strings in the files. Additionally, cryptocurrency-related phishing sites continue to grow, increasing the risks for users.

How UULoader Works

UULoader uses a technique called DLL side-loadingexploiting legitimate DLL files to execute malicious code. This method involves disguising the malware as part of seemingly benign installation software, such as a Google Chrome update or a Realtek driver. During the installation process, UULoader runs a malicious payload in the background, bypassing security checks and hiding its operations from users.

One of the most deceptive aspects of UULoader is its ability to disguise itself as legitimate software. For example, in one documented attack, the UULoader installer included an MSI file that, in addition to installing the desired software, also loaded a malicious executable into a hidden directory. This executable could then trigger further stages of the attack, such as downloading and running other malicious tools.

What is DLL Side-Loading?

Support Red Hot Cyber ​​through

Il DLL side-loading is an attack technique in which a legitimate DLL (Dynamic Link Library) file is replaced or imitated by a malicious version. This malicious version is then loaded and executed by a legitimate application, exploiting the fact that many applications dynamically load their dependencies without verifying the integrity of the file.

How it works:

  1. Target Selection: The attacker chooses a legitimate application that loads a DLL during its operation. Often, these applications do not verify the authenticity of the DLL, which makes the attack possible.
  2. Malicious DLL Creation: The attacker creates a malicious version of the DLL that has the same name as the legitimate DLL that the application is supposed to load. This malicious DLL contains malicious code that is executed when the DLL is loaded.
  3. DLL Placement: The malicious DLL is placed in the same directory as the legitimate executable or in a directory specified in the system environment variables. When the application is executed, it loads the malicious DLL instead of the legitimate one.
  4. Malicious Code Execution: Once loaded, the DLL executes malicious code. This can include downloading additional malware, stealing data, or executing remote commands.

Implications of DLL Side-Loading in UULoader

In the case of UULoader, the malware uses DLL side-loading to execute malicious code without raising suspicion. The installation process of UULoader begins with a file MSI which appears to install legitimate software. During this process, a malicious DLL is loaded in place of a legitimate one, allowing the malware to stealthily install itself onto the system.

Once the malicious DLL is loaded, UULoader can proceed to download and install additional malicious tools such as Gh0st RAT and Mimikatz. These tools allow attackers to take control of the system, steal credentials, and monitor user activity.

Esempi in DLL Side-Loading

DLL side-loading has been used in numerous cyber attacks over the years. For example, many attackers exploit commonly used software, such as PDF readers or multimedia software, to load malicious DLLs. This method is particularly effective against less protected systems or where the security software is not up to date.

Defending Against DLL Side-Loading

To protect yourself from DLL side-loading, it is essential to take some measures:

  • Digital Signature Verification: Applications should verify the digital signature of DLLs before loading them, ensuring that they come from trusted sources.
  • Checking Upload Directories: Restricting the directories from which an application can load DLLs can reduce the risk of side-loading attacks.
  • System Monitoring: Implementing advanced monitoring tools can help detect suspicious activities related to loading malicious DLLs.

Gh0st RAT: Remote Control of Infected Systems

One of the main payloads distributed by UULoader is Gh0st RATa Remote Access Trojan (RAT) that allows attackers to remotely control infected computers. Gh0st RAT is not new to the threat landscape, but its recent variants, modified with the help of open-source projects, have significantly improved its capabilities. This malware is capable of recording user activity, taking screenshots, stealing sensitive information, and even installing additional malicious software​ (and Feel).

Gh0st RAT is often distributed through fake installers of popular software, such as Google Chrome, and mainly targets Chinese-speaking users. Once installed, this tool allows hackers to remotely monitor and control compromised devices, posing serious risks to the privacy and security of victims.

Mimikatz: Credential Theft

Another tool distributed by UULoader is Mimickatza notorious tool used to steal credentials from Windows environments. Mimikatz can extract cleartext passwords, password hashes, PINs, and other sensitive data directly from system memory, even in the presence of advanced protections such as Local Security Authority (LSA) Protection. Although Windows has implemented measures to reduce the storage of cleartext passwords, Mimikatz is still able to bypass many of these protections using specially crafted drivers​ (HackTricks | HackTricks).

This tool is particularly dangerous in targeted attacks, where hackers use stolen credentials to move laterally within a corporate network, increasing their access and potentially causing widespread damage.

Geopolitical and Security Implications

The emergence of UULoader is not only a warning sign for cybersecurity, but also an indicator of rising geopolitical tensions. Targeted cyberattacks using UULoader have been detected primarily in East Asia, suggesting that state actors or state-sponsored groups may be behind these operations. The region, already a site of complex geopolitical dynamics, could be further destabilized by cyberattacks targeting critical infrastructure and strategic sectors.

UULoader’s capabilities to spread advanced malware such as Gh0st RAT and Mimikatz pose serious risks not only to individual organizations, but also to national security, especially when used in targeted attacks against critical infrastructure.

Security Implications

The discovery of UULoader and its ability to distribute malicious software such as Gh0st RAT and Mimikatz highlights the importance of maintaining high standards of cybersecurity. Organizations must be vigilant and take proactive measures to protect their systems, including training staff on security, implementing strict access controls, and using up-to-date antivirus solutions.

Conclusions

UULoader represents a significant evolution in the cyber threat landscape, combining advanced techniques such as DLL side-loading with the distribution of dangerous malware such as Gh0st RAT and Mimikatz. Its spread across East Asia and potential involvement of state actors raises concerns not only for cybersecurity, but also for geopolitical stability.

To combat these threats, it is essential that organizations take proactive security measures, including implementing file integrity verification techniques, continuously monitoring network activity, and keeping security systems up to date. Only a multi-layered approach to cybersecurity can hope to combat sophisticated threats like UULoader and its associated tools. The continued development of threats like UULoader demonstrates that cyber attackers are refining their techniques to evade traditional detection methods, making a multi-layered approach to cybersecurity essential.

Sandro Sana
Member of the Red Hot Cyber ​​Dark Lab group. I have been working in Information Technology since 1990, over the years I have worked with different types of companies from SMEs to Enterprises and PA. Since 2003 I have been interested in communication, NLP and Public Speaking. In 2014 I entered the world of Cybersecurity and specialized in scouting and R&D of Cybersecurity solutions. CEH – EC-Council Certified Ethical Hacker, CIH EC-Council Certified Incident Handler, CISSP – Certified Information Systems Security Professional, CSIRT Manager, speaker at SMAU 2017 and SMAU 2018, SMAU Academy & ITS teacher, member of the Association of Professional Computer Scientists since 2017 and Coordinator for the Friuli-Venezia Giulia region for AIP-ITCS. CLUSIT member and journalist at RedHot Cyber, Cybersecurity360 & Digital360.
Visit the author’s website

You may also like

Microsoft Celebrates New Buyback and Coupon Increase, Stock...

The high-flying team at the Frankfurt stadium

Asteroid 2024 PT5: Earth gets a mini-moon

BSNL will leave everyone behind! Enjoy 300 days...

Expanding Network, Digimap Opens Apple Premium Store in...

What happened to Sophie Xeon? The artist that...

Google search for “How to abort your second...

Elena Congost and Sara Sorribes, new members of...

Parents of teenagers get more power

https://www.youtube.com/watch%3Fv%3Dcx4ErpVZ90E

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.