UULoader (Dropper) – Malware

Overview

UULoader is a sophisticated and evasive piece of malware that has been observed targeting users through malicious Windows Installer (.msi) files. Disguised as legitimate applications or update installers, it primarily targets Korean and Chinese-speaking individuals, demonstrating a regional focus in its deployment. This malware was first identified in July 2024 by the Cyberint Research Team, which noted a surge in the use of malicious .msi files during this period. Upon further investigation, the malware was found to be well-crafted with several layers of obfuscation, making it difficult to detect by traditional security solutions.

What sets UULoader apart from other types of malware is its use of a creative and multi-stage delivery mechanism that involves stripping file headers to evade static detection. This method allows it to bypass most security solutions during the initial scan, as file headers, which typically indicate the file type, are removed from the executables. The loader is delivered in a Microsoft Cabinet (.cab) archive containing an executable and a dynamic link library (.dll), both of which have had their headers stripped to avoid detection. Once executed, the malware proceeds to deploy a series of files, including its final payload, and even uses a decoy file to distract the user from its malicious activities.

Targets

Individuals

How they operate

Delivery and Execution

The UULoader malware is usually delivered via malicious attachments, often in the form of Windows Installer (.msi) files or other seemingly legitimate software packages. These files contain obfuscated code that, when executed, triggers the installation of the malware on the target machine. To further exploit system vulnerabilities, UULoader may rely on techniques like script-based execution, using PowerShell or other scripting languages to deploy the malicious payload. This method is designed to bypass traditional defenses such as antivirus solutions by hiding its actions within legitimate system tools.

Upon execution, UULoader runs a series of checks to ensure it is operating in an environment where it can function without interference. These checks include verifying system configurations, checking for the presence of sandboxing environments, and attempting to disable any security software that might detect its activities. It may also use legitimate Windows processes to disguise its actions, making it harder for security tools to identify the malware’s presence.

Persistence and Evasion

One of the key features of UULoader is its ability to maintain persistence on infected systems. To ensure it can survive reboots and continued operations, UULoader employs several tactics. It may modify the system’s registry or create scheduled tasks to automatically execute its payload upon system startup. This method allows UULoader to remain on the system even after an apparent cleanup or restart. Additionally, the malware may manipulate file and directory permissions to prevent its removal or detection by security tools.

UULoader is also adept at evading detection through obfuscation techniques. Its payloads are often encrypted or compressed to avoid signature-based detection by traditional antivirus tools. The malware uses code obfuscation to hide its functionality and make it difficult for analysts to reverse-engineer its behavior. Furthermore, UULoader can use “fileless” techniques, running directly in memory and avoiding writing files to disk, which makes it even harder to detect using standard file-scanning methods.

Command and Control Communication

Once installed and active on a victim’s system, UULoader establishes communication with a command and control (C2) server, allowing the attacker to remotely control the compromised machine. This communication is often encrypted or uses non-standard ports to evade detection by network monitoring tools. Through the C2 channel, UULoader can receive commands to execute additional malicious actions, including deploying further payloads such as ransomware, remote access Trojans (RATs), or information-stealing malware.

The C2 infrastructure used by UULoader is typically robust, designed to be resilient against takedowns. The malware may use multiple communication protocols, such as HTTP or HTTPS, to blend in with normal network traffic. By leveraging these protocols, UULoader can easily exfiltrate data, deploy secondary payloads, or receive new instructions from the attacker without raising suspicions.

Privilege Escalation and Credential Theft

In some cases, UULoader is not limited to merely maintaining a foothold on the infected system. It may attempt to escalate its privileges to gain higher levels of access. This can involve exploiting known vulnerabilities in the system or using tools like Mimikatz to extract login credentials and other sensitive information. By acquiring elevated privileges, UULoader can increase its chances of success in delivering more destructive payloads, such as ransomware or data exfiltration tools, furthering the attacker’s goals.

Data Exfiltration and Impact

While UULoader’s primary function is to facilitate the delivery of additional malicious payloads, it can also be used to exfiltrate sensitive data from the infected system. This may include stealing user credentials, financial information, or proprietary data. Through its secure C2 channel, UULoader sends the stolen information back to the attacker’s server. Depending on the goals of the attacker, UULoader may also act as a precursor to a larger, more destructive attack, such as a ransomware campaign or corporate espionage operation.

MITRE Tactics and Techniques

Initial Access (TA0001)

Spearphishing Attachment (T1566.001): UULoader is typically delivered via malicious Windows Installer (.msi) files or other attachment-based methods. It may use social engineering to entice users to download and execute the malware.

Exploitation for Initial Access (T1203): The malware often leverages vulnerabilities in the system or applications, especially those related to installer files or system misconfigurations.

Execution (TA0002)

Command and Scripting Interpreter (T1059): UULoader employs scripting mechanisms (like PowerShell or other scripts) to execute its payloads, which are hidden in legitimate system processes or tools.

Exploitation for Execution (T1203): The malware relies on the exploitation of vulnerable systems to execute its malicious code, often using tools designed to bypass security measures.

Persistence (TA0003)

Boot or Logon Autostart Execution (T1547): UULoader ensures persistence by establishing autostart mechanisms, such as registry modifications or scheduled tasks, that allow it to reinfect the system after a reboot.

File and Directory Permissions Modification (T1222): The malware can modify file system permissions to prevent detection or removal, ensuring that its components are always accessible for execution.

Privilege Escalation (TA0004)

Exploitation for Privilege Escalation (T1203): Through malicious code execution, UULoader may attempt to elevate privileges to gain higher-level access to the system.

Abuse Elevation Control Mechanism (T1548): It might employ techniques to escalate user privileges, using misconfigurations or exploiting system vulnerabilities.

Defense Evasion (TA0005)

Obfuscated Files or Information (T1027): UULoader uses obfuscation techniques, such as stripping file headers, to evade detection by security tools during its initial stages of infection.

Timestomp (T1099): The malware may alter file timestamps to avoid detection by forensic tools or security software scanning for anomalous activities.

Disabling Security Tools (T1089): UULoader attempts to disable or bypass security software like Windows Defender to prevent detection during its operation.

Credential Access (TA0006)

Credential Dumping (T1003): The malware often deploys tools like Mimikatz to harvest user credentials from the system once it has been executed.

Command and Control (TA0011)

Application Layer Protocol (T1071): UULoader uses remote access tools (RATs), such as Gh0stRat, to communicate with its command and control (C2) servers, allowing the attacker to issue commands and receive stolen data.

Exfiltration (TA0010)

Exfiltration Over Command and Control Channel (T1041): After stealing sensitive information, UULoader may exfiltrate this data over its C2 channel to the attacker’s remote server.

Impact (TA0040)

Data Encrypted for Impact (T1486): Although not a primary objective, UULoader can be leveraged as part of a larger attack to encrypt or destroy data, particularly if the malware is combined with other ransomware or destructive payloads.

References:

• Meet UULoader: An Emerging and Evasive Malicious Installer.