Meet UULoader: An Emerging and Evasive Malicious Installer.

Windows Installers (.msi files) are a known vector of malware distribution. Although not quite common, they have been used by threat actors to distribute malware of all sorts.

During July 2024, the Cyberint Research Team noticed somewhat of an uptick in the usage of malicious .msi files. Among the various samples we noticed a specific variant of malicious installer being actively used in the wild, disguised as legitimate applications or update installers and targeting Korean and Chinese speakers.

Further analysis reveals that the loader was likely developed by a Chinese speaker, while remaining mostly undetected (on first-seen) by most security vendors.

The Cyberint Research Team have dubbed this malicious installer “UULoader”, after several variations  appearing as .pdb paths in its embedded .dll files (Figure 1).

UULoader static evasions

UULoader employs a simple yet effective primary mechanism of evading static detection – File header stripping. File headers are the first several bytes of any given file and let various applications (and sometimes the operating system itself) know what type of file any certain file is. For example – a PDF document will have the file header of “%PDF-“ followed by a number representing the file version such as “%PDF-1.7”.

By removing (or “stripping”) these first few bytes of a file, a file can entirely evade classification. For example – an executable (which use the file headers “MZ” or “PE”), when scanned by a security product and not handled or executed according to what it really is can just be classified as “data”.

UULoader’s “core” files are contained in a Microsoft Cabinet archive (.cab) file which contains two primary executables (an .exe and a .dll) which have had their file header stripped.

One of these stripped executables is (usually) an old but legitimate Realtek executable which functions as a “side-loader” for the .dll file, which has also had its header stripped.

Additionally, the .cab file also contains a more heavily obfuscated file (which is UULoader’s final contained payload and is saved to disk as “XamlHost.sys”) and two additional small files that contain the characters “M” and “Z” which are used to “fix” the above-mentioned stripped file headers when UULoader is executed.

Lastly, some UULoader samples contain a legitimate decoy file that is also executed in order to draw attention away from its malicious functionalities and distract the user. This usually corresponds to what the .msi file is pretending to be.

For example, if it tries to disguise itself as a “Chrome update”, the decoy will be an actual legitimate update for Chrome.

• UULoader deployment chain

Once executed, UULoader will create a folder named “Microsoft Thunder” in C:\Program Files (x86)\ using an .msi CustomAction, to which it will deploy the “re-headered” .exe and .dll from its contained .cab file and the still obfuscated final payload.

Alongside this, a .vbs script will be executed, which registers the created “Microsoft Thunder” folder as an exclusion for Windows Defender. It “re-headers” and renames the dropped files to their appropriate extension, executes the legitimate “side loader” which loads the UULoader .dll. This in turn loads the final payload (stored as “XamlHost.sys”, and still obfuscated), and lastly executes the decoy.

A noteworthy point about the .vbs script is the presence of various “junk” actions (primarily arithmetic calculations) which serve no purpose themselves but are intended to “inflate” the script and conceal its malicious features by “out weighting” them with legitimate appearing junk when scanned by security products.

UULoader’s final payloads appear to be mostly remote access tools such as Gh0stRat (which is known to be used by multiple threat actors, including of Chinese origin), and various hacking tools such as Mimikatz.

Summary

UULoader employs a fairly creative, multi-staged, approach to payload delivery. This proves effective at evading static detection, Evidence of this is its incredibly low first-seen detection rates on VirusTotal.

Although we cannot yet associate UULoader with a specific threat actor, it is likely to be a Chinese based actor.

About Cyberint

Cyberint, the Impactful Intelligence company, reduces risk by helping organizations detect and mitigate external cyber threats before they have an adverse impact. The Cyberint Argos platform’s patented technology provides superior visibility through continuous discovery of the evolving attack surface, combined with the automated collection and analysis of vast quantities of intelligence from across the open, deep and dark web. A team of global military-grade cybersecurity experts work alongside customers to rapidly detect, investigate, and disrupt relevant threats – before they have the chance to develop into
major incidents. Global customers, including Fortune 500 leaders across all major market verticals, rely on Cyberint to protect themselves from an array of external risks, including vulnerabilities, misconfigurations, phishing, impersonation attacks, malware infections, exposed credentials, data leaks, fraud, and 3rd party risks.