Threat actors have leveraged the novel UULoader malware camouflaging as legitimate app installers for Chinese and Korean users to facilitate compromise with the Gh0st RAT and Mimikatz payloads, according to The Hacker News.
Integrated within UULoader was an archive file with two main executables that did not have their file headers, with the first being a binary enabling DLL file side-loading of the final-stage payloads, an analysis from the Cyberint Research Team revealed. Attacks with UULoader also involved the execution of a decoy file. "This usually corresponds to what the .msi file is pretending to be. For example, if it tries to disguise itself as a 'Chrome update,' the decoy will be an actual legitimate update for Chrome," said Cyberint researchers. Such a development comes after Gh0st RAT was reported by eSentire to have been distributed in attacks using fraudulent Google Chrome installers against Windows users across China.