UULoader primarily evades static detection by stripping file headers from its core components, which are typically the initial bytes of a file, and identifying file types for applications and the operating system.
By removing these identifiers, UULoader’s executables, stored within a .cab archive, become unrecognizable to static analysis tools, hindering classification and detection and allowing the malware to masquerade as harmless data, evading scrutiny until execution.
It employs a layered obfuscation technique by packaging a stripped, legitimate Realtek executable as a side-loader for another stripped DLL.
A heavily obfuscated payload, destined for “XamlHost.sys,” resides in the .cab file alongside two tiny files containing “M” and “Z” characters, which are employed to repair the stripped headers of the aforementioned executable and DLL during UULoader’s execution, evading detection mechanisms.
Certain UULoader samples employ a deception tactic by including a legitimate decoy file alongside malicious components, which often mirror the .msi file’s purported function and aim to divert user attention from harmful activities.
For instance, a “Chrome update” disguise might contain an authentic Chrome updater to mask malicious operations, while UULoader leverages an .msi CustomAction to establish a “Microsoft Thunder” directory in C:\Program Files (x86)\.
Subsequently, it extracts and renames files from an embedded .cab, including a re-headered executable and DLL, and deploys an obfuscated final payload.
Concurrently, a .vbs script executes, excluding the newly created directory from Windows Defender protection.
The script further processes extracted files and launches a legitimate “side loader” to invoke the UULoader DLL, which in turn loads the obfuscated payload and initiates a decoy application.
The .vbs script employs obfuscation techniques by incorporating irrelevant arithmetic calculations to obscure malicious code within a seemingly legitimate script.
To further evade detection, the script excludes itself from Defender scans. It ultimately deploys and executes UULoader, a tool designed to deliver payloads like Gh0stRat and Mimikatz, indicating a potential threat of remote access and credential theft from actors possibly of Chinese origin.
UULoader utilizes a complex, multi-phase payload delivery mechanism that effectively circumvents static detection tools, which is evidenced by its exceptionally low initial detection rates on VirusTotal.
According to Cyberint, although it has not been determined who exactly is responsible for UULoader, the characteristics of the malware point to a possible origin in China.