The risk actors behind a loader malware known as HijackLoader have added new methods for protection evasion, because the malware continues to be more and more utilized by different risk actors to ship extra payloads and tooling.
“The malware developer used a normal course of hollowing approach coupled with an extra set off that was activated by the father or mother course of writing to a pipe,” CrowdStrike researchers Donato Onofri and Emanuele Calvelli mentioned in a Wednesday evaluation. “This new strategy has the potential to make protection evasion stealthier.”
HijackLoader was first documented by Zscaler ThreatLabz in September 2023 as having been used as a conduit to ship DanaBot, SystemBC, and RedLine Stealer. It is also identified to share a excessive diploma of similarity with one other loader often known as IDAT Loader.
Each the loaders are assessed to be operated by the identical cybercrime group. Within the intervening months, HijackLoader has been propagated by way of ClearFake and put to make use of by TA544 (aka Narwhal Spider, Gold Essex, and Ursnif Gang) to ship Remcos RAT and SystemBC by way of phishing messages.
“Consider loaders like wolves in sheep’s clothes. Their objective is to sneak in, introduce and execute extra refined threats and instruments,” Liviu Arsene, director of risk analysis and reporting at CrowdStrike, mentioned in a press release shared with The Hacker Information.
“This current variant of HijackLoader (aka IDAT Loader) steps up its sneaking sport by including and experimenting with new methods. That is just like enhancing its disguise, making it stealthier, extra advanced, and tougher to research. In essence, they’re refining their digital camouflage.”
The place to begin of the multi-stage assault chain is an executable (“streaming_client.exe”) that checks for an energetic web connection and proceeds to obtain a second-stage configuration from a distant server.
The executable then masses a reputable dynamic-link library (DLL) specified within the configuration to activate shellcode answerable for launching the HijackLoader payload by way of a mix of course of doppelgänging and course of hollowing methods that will increase the complexity of study and the protection evasion capabilities.
“The HijackLoader second-stage, position-independent shellcode then performs some evasion actions to bypass person mode hooks utilizing Heaven’s Gate and injects subsequent shellcode into cmd.exe,” the researchers mentioned.
“The injection of the third-stage shellcode is completed by way of a variation of course of hollowing that ends in an injected hollowed mshtml.dll into the newly spawned cmd.exe baby course of.”
Heaven’s Gate refers to a stealthy trick that permits malicious software program to evade endpoint safety merchandise by invoking 64-bit code in 32-bit processes in Home windows, successfully bypassing user-mode hooks.
One of many key evasion methods noticed in HijackLoader assault sequences is the usage of a course of injection mechanism known as transacted hollowing, which has been beforehand noticed in malware such because the Osiris banking trojan.
“Loaders are supposed to act as stealth launch platforms for adversaries to introduce and execute extra refined malware and instruments with out burning their belongings within the preliminary levels,” Arsene mentioned.
“Investing in new protection evasion capabilities for HijackLoader (aka IDAT Loader) is doubtlessly an try and make it stealthier and fly under the radar of conventional safety options. The brand new methods sign each a deliberate and experimental evolution of the present protection evasion capabilities whereas additionally rising the complexity of study for risk researchers.”