The risk actors behind a loader malware referred to as HijackLoader have added new methods for protection evasion, because the malware continues to be more and more utilized by different risk actors to ship further payloads and tooling.
“The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe,” CrowdStrike researchers Donato Onofri and Emanuele Calvelli said in a Wednesday evaluation. “This new approach has the potential to make defense evasion stealthier.”
HijackLoader was first documented by Zscaler ThreatLabz in September 2023 as having been used as a conduit to ship DanaBot, SystemBC, and RedLine Stealer. It is also recognized to share a excessive diploma of similarity with one other loader often called IDAT Loader.
Each the loaders are assessed to be operated by the identical cybercrime group. Within the intervening months, HijackLoader has been propagated by way of ClearFake and put to make use of by TA544 (aka Narwhal Spider, Gold Essex, and Ursnif Gang) to deliver Remcos RAT and SystemBC by way of phishing messages.
“Think of loaders like wolves in sheep’s clothing. Their purpose is to sneak in, introduce and execute more sophisticated threats and tools,” Liviu Arsene, director of risk analysis and reporting at CrowdStrike, stated in an announcement shared with The Hacker Information.
“This recent variant of HijackLoader (aka IDAT Loader) steps up its sneaking game by adding and experimenting with new techniques. This is similar to enhancing its disguise, making it stealthier, more complex, and more difficult to analyze. In essence, they’re refining their digital camouflage.”
The start line of the multi-stage assault chain is an executable (“streaming_client.exe”) that checks for an energetic web connection and proceeds to obtain a second-stage configuration from a distant server.
The executable then masses a legit dynamic-link library (DLL) specified within the configuration to activate shellcode chargeable for launching the HijackLoader payload by way of a mixture of process doppelgänging and process hollowing methods that will increase the complexity of study and the defense evasion capabilities.
“The HijackLoader second-stage, position-independent shellcode then performs some evasion activities to bypass user mode hooks using Heaven’s Gate and injects subsequent shellcode into cmd.exe,” the researchers stated.
“The injection of the third-stage shellcode is accomplished via a variation of process hollowing that results in an injected hollowed mshtml.dll into the newly spawned cmd.exe child process.”
Heaven’s Gate refers to a stealthy trick that permits malicious software program to evade endpoint security products by invoking 64-bit code in 32-bit processes in Home windows, successfully bypassing user-mode hooks.
One of many key evasion methods noticed in HijackLoader assault sequences is using a course of injection mechanism referred to as transacted hollowingwhich has been beforehand noticed in malware such because the Osiris banking trojan.
“Loaders are meant to act as stealth launch platforms for adversaries to introduce and execute more sophisticated malware and tools without burning their assets in the initial stages,” Arsene stated.
“Investing in new defense evasion capabilities for HijackLoader (aka IDAT Loader) is potentially an attempt to make it stealthier and fly below the radar of traditional security solutions. The new techniques signal both a deliberate and experimental evolution of the existing defense evasion capabilities while also increasing the complexity of analysis for threat researchers.”
Author: email@example.com (The Hacker Information)
Date: 2024-02-08 05:28:00