These hackers are spreading ransomware as a distraction – to hide their cyber spying

Image: Shutterstock / BLACKDAY

A group of likely state-backed cyber attackers have adopted a new loader to spread five different kinds of ransomware in a bid to hide their true espionage activities.

On Thursday, cybersecurity researchers from Secureworks published new research on HUI Loader, a malicious tool that criminals have used widely since 2015.

Loaders are small, malicious packages designed to stay undetected on a compromised machine. While often lacking much functionality as independent malware, they have one crucial task: to load and execute additional malicious payloads.

SEE: Phishing gang that stole millions by luring victims to fake bank websites is broken up by police

HUI Loader is a custom DLL loader that can be deployed by hijacked legitimate software programs susceptible to DLL search order hijacking. Once executed, the loader will then deploy and decrypt a file containing the main malware payload.

In the past, HUI Loader was used in campaigns by groups including APT10/Bronze Riverside – connected to the Chinese Ministry of State Security (MSS) – and Blue Termite. The groups have deployed remote access trojans (RATs) including SodaMaster, PlugX, and QuasarRAT in previous campaigns.

Now, it appears that the loader has been adapted to spread ransomware.

Read More: