Chinese language hackers have been utilizing the Windows Installer (MSI) file format to circumvent typical security measures. A new malware loader known as “UULoader” has emerged, targeting Chinese and Korean speakers, as reported by researchers from Cyberint. This malware loader comes in the less common MSI format, which has caught the attention of cybersecurity experts.
The increase in malicious MSIs from Asia has been noticed by multiple vendors, indicating a growing trend in utilizing this file format for nefarious purposes. Threat actors are employing innovative stealth tactics to exploit the strengths of MSI files while bypassing their usual weaknesses. The use of techniques like file header stripping and sideloading has allowed hackers to evade detection by static scanners, as explained by Cyberint security researcher Shaul Vilkomir Preisman.
UULoader, operated by an unidentified but presumably Chinese threat actor, is being distributed primarily through phishing emails. The malware is often disguised as an installer for legitimate applications such as AnyDesk or an update for popular programs like Google Chrome. Despite lacking the necessary signatures to be deemed trustworthy, UULoader manages to elude detection through various evasion mechanisms like file header stripping and DLL sideloading.
By stripping the initial bytes of its files, UULoader evades classification by security programs, making it appear as non-malicious data. Preisman highlights the necessity of reassembling the file after stripping headers, which UULoader achieves by utilizing two specific characters. Additionally, the malware employs decoy files and VBScript to further confuse and deceive potential victims.
The stealth mechanisms of UULoader have proven effective in evading detection initially, with VirusTotal scans yielding harmless results upon first inspection. Preisman notes that detections only increase after a period of exposure, demonstrating the sophisticated strategies employed by threat actors to remain undetected for as long as possible.
At the end of the infection chain, UULoader has been observed dropping Gh0stRAT and other hacking tools like Mimikatz. These tools are commonly used in various cyber attacks, indicating a broad range of potential objectives for the malware. Gh0stRAT, a prevalent hacking tool in Chinese cyber circles, has seen increased usage alongside the rise of MSI malware in Southeast Asia.
Preisman notes a significant uptick in MSI-related incidents in Southeast Asia, suggesting a growing trend in utilizing this file format for malicious activities. As MSI files become more prevalent in cyber attacks, users may need to exercise greater caution when dealing with such files. While traditional file formats like Word documents and PDFs are often viewed with suspicion, Windows Installers present a unique challenge due to their ability to conceal malware effectively.
In conclusion, the emergence of UULoader and the increasing use of malicious MSIs highlight the evolving tactics of cybercriminals in bypassing security measures. As cybersecurity experts continue to uncover these threats, it is crucial for users to remain vigilant and adopt best practices to protect themselves against evolving cyber threats.