A more recent model of a malware loader known as Hijack Loader has been noticed incorporating an up to date set of anti-analysis methods to fly beneath the radar.
“These enhancements intention to extend the malware’s stealthiness, thereby remaining undetected for longer intervals of time,” Zscaler ThreatLabz researcher Muhammed Irfan V A mentioned in a technical report.
“Hijack Loader now consists of modules so as to add an exclusion for Home windows Defender Antivirus, bypass Person Account Management (UAC), evade inline API hooking that’s usually utilized by safety software program for detection, and make use of course of hollowing.”
Hijack Loader, additionally known as IDAT Loader, is a malware loader that was first documented by the cybersecurity firm in September 2023. Within the intervening months, the instrument has been used as a conduit to ship numerous malware households.
This consists of Amadey, Lumma Stealer (aka LummaC2), Meta Stealer, Racoon Stealer V2, Remcos RAT, and Rhadamanthys.
What makes the most recent model notable is the truth that it decrypts and parses a PNG picture to load the next-stage payload, a method that was first detailed by Morphisec in reference to a marketing campaign focusing on Ukrainian entities primarily based in Finland.
The loader, per Zscaler, comes fitted with a first-stage, which is chargeable for extracting and launching the second-stage from a PNG picture that is both embedded into it or downloaded individually primarily based on the malware’s configuration.
“The principle objective of the second stage is to inject the principle instrumentation module,” Irfan defined. “To extend stealthiness, the second stage of the loader employs extra anti-analysis methods utilizing a number of modules.”
Hijack Loader artifacts detected within the wild in March and April 2024 additionally incorporate as many as seven new modules to assist create new processes, carry out UAC bypass, and add a Home windows Defender Antivirus exclusion through a PowerShell command.
Including to the malware’s stealth is its use of the Heaven’s Gate approach to avoid consumer mode hooks, as beforehand disclosed by CrowdStrike in February 2024.
“Amadey has been probably the most generally delivered household by HijackLoader,” Irfan mentioned. “The loading of the second stage includes using an embedded PNG picture or PNG picture downloaded from the net. Moreover, new modules have been built-in into HijackLoader, enhancing its capabilities and making it much more sturdy.”
The event comes amid malware campaigns distributing totally different malware loader households like DarkGate, FakeBat (aka EugenLoader), GuLoader through malvertising and phishing assaults.
It additionally follows the emergence of an info stealer known as TesseractStealer that is distributed by ViperSoftX and makes use of the open-source Tesseract optical character recognition (OCR) engine to extract textual content from picture information.
“The malware focuses on particular information associated to credentials and cryptocurrency pockets info,” Broadcom-owned Symantec mentioned. “Subsequent to TesseractStealer, among the latest ViperSoftX runs have additionally been noticed to drop one other payload from the Quasar RAT malware household.”