May 08, 2024NewsroomEncryption / Information Stealer
A newer version of a malware loader called Hijack Loader has been observed incorporating an updated set of anti-analysis techniques to fly under the radar.
“These enhancements aim to increase the malware’s stealthiness, thereby remaining undetected for longer periods of time,” Zscaler ThreatLabz researcher Muhammed Irfan V A said in a technical report.
“Hijack Loader now includes modules to add an exclusion for Windows Defender Antivirus, bypass User Account Control (UAC), evade inline API hooking that is often used by security software for detection, and employ process hollowing.”
Hijack Loader, also called IDAT Loader, is a malware loader that was first documented by the cybersecurity company in September 2023. In the intervening months, the tool has been used as a conduit to deliver various malware families.
This includes Amadey, Lumma Stealer (aka LummaC2), Meta Stealer, Racoon Stealer V2, Remcos RAT, and Rhadamanthys.
What makes the latest version notable is the fact that it decrypts and parses a PNG image to load the next-stage payload, a technique that was first detailed by Morphisec in connection with a campaign targeting Ukrainian entities based in Finland.
The loader, per Zscaler, comes fitted with a first-stage, which is responsible for extracting and launching the second-stage from a PNG image that’s either embedded into it or downloaded separately based on the malware’s configuration.
“The main purpose of the second stage is to inject the main instrumentation module,” Irfan explained. “To increase stealthiness, the second stage of the loader employs more anti-analysis techniques using multiple modules.”
Hijack Loader artifacts detected in the wild in March and April 2024 also incorporate as many as seven new modules to help create new processes, perform UAC bypass, and add a Windows Defender Antivirus exclusion via a PowerShell command.
Adding to the malware’s stealth is its use of the Heaven’s Gate technique to circumvent user mode hooks, as previously disclosed by CrowdStrike in February 2024.
“Amadey has been the most commonly delivered family by HijackLoader,” Irfan said. “The loading of the second stage involves the use of an embedded PNG image or PNG image downloaded from the web. Additionally, new modules have been integrated into HijackLoader, enhancing its capabilities and making it even more robust.”
The development comes amid malware campaigns distributing different malware loader families like DarkGate, FakeBat (aka EugenLoader), GuLoader via malvertising and phishing attacks.
It also follows the emergence of an information stealer called TesseractStealer that’s distributed by ViperSoftX and utilizes the open-source Tesseract optical character recognition (OCR) engine to extract text from image files.
“The malware focuses on specific data related to credentials and cryptocurrency wallet information,” Broadcom-owned Symantec said. “Next to TesseractStealer, some of the recent ViperSoftX runs have also been observed to drop another payload from the Quasar RAT malware family.”