The risk actors behind a loader malware referred to as HijackLoader have added new strategies for protection evasion, because the malware continues to be more and more utilized by different risk actors to ship further payloads and tooling.
“The malware developer used a typical course of hollowing method coupled with an extra set off that was activated by the mother or father course of writing to a pipe,” CrowdStrike researchers Donato Onofri and Emanuele Calvelli stated in a Wednesday evaluation. “This new method has the potential to make protection evasion stealthier.”
HijackLoader was first documented by Zscaler ThreatLabz in September 2023 as having been used as a conduit to ship DanaBot, SystemBC, and RedLine Stealer. It is also recognized to share a excessive diploma of similarity with one other loader referred to as IDAT Loader.
Each the loaders are assessed to be operated by the identical cybercrime group. Within the intervening months, HijackLoader has been propagated through ClearFake and put to make use of by TA544 (aka Narwhal Spider, Gold Essex, and Ursnif Gang) to ship Remcos RAT and SystemBC through phishing messages.
“Consider loaders like wolves in sheep’s clothes. Their goal is to sneak in, introduce and execute extra subtle threats and instruments,” Liviu Arsene, director of risk analysis and reporting at CrowdStrike, stated in an announcement shared with The Hacker Information.
“This current variant of HijackLoader (aka IDAT Loader) steps up its sneaking recreation by including and experimenting with new strategies. That is just like enhancing its disguise, making it stealthier, extra advanced, and harder to research. In essence, they’re refining their digital camouflage.”
The start line of the multi-stage assault chain is an executable (“streaming_client.exe”) that checks for an lively web connection and proceeds to obtain a second-stage configuration from a distant server.
The executable then hundreds a respectable dynamic-link library (DLL) specified within the configuration to activate shellcode answerable for launching the HijackLoader payload through a mix of course of doppelgänging and course of hollowing strategies that will increase the complexity of research and the protection evasion capabilities.
“The HijackLoader second-stage, position-independent shellcode then performs some evasion actions to bypass person mode hooks utilizing Heaven’s Gate and injects subsequent shellcode into cmd.exe,” the researchers stated.
“The injection of the third-stage shellcode is completed through a variation of course of hollowing that ends in an injected hollowed mshtml.dll into the newly spawned cmd.exe baby course of.”
Heaven’s Gate refers to a stealthy trick that enables malicious software program to evade endpoint safety merchandise by invoking 64-bit code in 32-bit processes in Home windows, successfully bypassing user-mode hooks.
One of many key evasion strategies noticed in HijackLoader assault sequences is using a course of injection mechanism referred to as transacted hollowing, which has been beforehand noticed in malware such because the Osiris banking trojan.
“Loaders are supposed to act as stealth launch platforms for adversaries to introduce and execute extra subtle malware and instruments with out burning their property within the preliminary phases,” Arsene stated.
“Investing in new protection evasion capabilities for HijackLoader (aka IDAT Loader) is probably an try to make it stealthier and fly under the radar of conventional safety options. The brand new strategies sign each a deliberate and experimental evolution of the prevailing protection evasion capabilities whereas additionally growing the complexity of research for risk researchers.”