Malware UULoader: detection missed by .msi installer
IT researchers have discovered the malware UULoader, which evades detection by virus scanners by using the .msi installer format.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Criminal actors try to hide malware from detection. IT researchers from Cyberint have discovered a malware called UULoader that attempts to evade detection by virus scanners or Virustotal by appearing as a .msi installer.
According to Cyberint's analysis, this malware appeared more frequently in Asia, specifically China and Korea, in July. The numerous samples detected in the wild were disguised as regular applications or update installers in .msi installer format. This is often used to evade detection, the IT researchers explain.
Undetected malware
Further analysis revealed that the malware was developed by a Chinese-speaking person and went undetected by most IT security providers during the initial investigation. The malware analysts named the malware UULoader. As a first effective measure against detection, the programmers removed the file headers, specifically the first often descriptive bytes (the so-called magic bytes) of a file such as "%PDF-" in PDF files. Executable files usually have "MZ" or "PE" in them, but according to Cyberint, this removal often only results in the file being classified as data by malware scanners.
The UULoader core files contain a .cab archive containing executable files as .exe and .dll, which have been stripped of the magic bytes. One of the executable files contains an old but legitimate Realtek file that serves as a loading vehicle for the .dll library. In addition, the .cab file contains another heavily obfuscated file, the final malware, which is stored in the system as XamlHost.sys. Two small additional files contain the characters M and Z, which are used to correct the "cleaned" executable files when UULoader is executed. Some UULoader variants contain another stealth file that is executed to distract from the malicious functions. The file usually matches the name given by the .msi installer in terms of functionality. One sample, for example, appeared to be a Chrome update, but actually contained an update for the browser to disguise it.
There are many ways in which malware writers try to evade detection by virus scanners. Sometimes the antivirus programs even help unintentionally. In February, for example, it became known that detection by Microsoft's Defender could be fooled with a simple comma.
(dmk)