The menace actors behind a loader malware referred to as HijackLoader have added new methods for protection evasion, because the malware continues to be more and more utilized by different menace actors to ship further payloads and tooling.
“The malware developer used a typical course of hollowing method coupled with an extra set off that was activated by the mum or dad course of writing to a pipe,” CrowdStrike researchers Donato Onofri and Emanuele Calvelli stated in a Wednesday evaluation. “This new method has the potential to make protection evasion stealthier.”
HijackLoader was first documented by Zscaler ThreatLabz in September 2023 as having been used as a conduit to ship DanaBot, SystemBC, and RedLine Stealer. It is also recognized to share a excessive diploma of similarity with one other loader generally known as IDAT Loader.
Each the loaders are assessed to be operated by the identical cybercrime group. Within the intervening months, HijackLoader has been propagated through ClearFake and put to make use of by TA544 (aka Narwhal Spider, Gold Essex, and Ursnif Gang) to ship Remcos RAT and SystemBC through phishing messages.
“Consider loaders like wolves in sheep’s clothes. Their function is to sneak in, introduce and execute extra subtle threats and instruments,” Liviu Arsene, director of menace analysis and reporting at CrowdStrike, stated in a press release shared with The Hacker Information.
“This current variant of HijackLoader (aka IDAT Loader) steps up its sneaking recreation by including and experimenting with new methods. That is just like enhancing its disguise, making it stealthier, extra complicated, and harder to research. In essence, they’re refining their digital camouflage.”
The place to begin of the multi-stage assault chain is an executable (“streaming_client.exe”) that checks for an energetic web connection and proceeds to obtain a second-stage configuration from a distant server.
The executable then hundreds a reliable dynamic-link library (DLL) specified within the configuration to activate shellcode liable for launching the HijackLoader payload through a mix of course of doppelgänging and course of hollowing methods that will increase the complexity of research and the protection evasion capabilities.
“The HijackLoader second-stage, position-independent shellcode then performs some evasion actions to bypass consumer mode hooks utilizing Heaven’s Gate and injects subsequent shellcode into cmd.exe,” the researchers stated.
“The injection of the third-stage shellcode is achieved through a variation of course of hollowing that ends in an injected hollowed mshtml.dll into the newly spawned cmd.exe youngster course of.”
Heaven’s Gate refers to a stealthy trick that permits malicious software program to evade endpoint safety merchandise by invoking 64-bit code in 32-bit processes in Home windows, successfully bypassing user-mode hooks.
One of many key evasion methods noticed in HijackLoader assault sequences is the usage of a course of injection mechanism referred to as transacted hollowing, which has been beforehand noticed in malware such because the Osiris banking trojan.
“Loaders are supposed to act as stealth launch platforms for adversaries to introduce and execute extra subtle malware and instruments with out burning their belongings within the preliminary phases,” Arsene stated.
“Investing in new protection evasion capabilities for HijackLoader (aka IDAT Loader) is probably an try to make it stealthier and fly under the radar of conventional safety options. The brand new methods sign each a deliberate and experimental evolution of the present protection evasion capabilities whereas additionally growing the complexity of research for menace researchers.”