A more moderen model of a malware loader known as Hijack Loader has been noticed incorporating an up to date set of anti-analysis methods to fly underneath the radar.
“These enhancements aim to increase the malware’s stealthiness, thereby remaining undetected for longer periods of time,” Zscaler ThreatLabz researcher Muhammed Irfan V A stated in a technical report.
“Hijack Loader now includes modules to add an exclusion for Windows Defender Antivirus, bypass User Account Control (UAC), evade inline API hooking that is often used by security software for detection, and employ process hollowing.”
Hijack Loader, additionally known as IDAT Loader, is a malware loader that was first documented by the cybersecurity firm in September 2023. Within the intervening months, the device has been used as a conduit to ship varied malware households.
This consists of Amadey, Lumma Stealer (aka LummaC2), Meta Stealer, Racoon Stealer V2, Remcos RAT, and Rhadamanthys.
What makes the newest model notable is the truth that it decrypts and parses a PNG picture to load the next-stage payload, a way that was first detailed by Morphisec in reference to a marketing campaign focusing on Ukrainian entities based mostly in Finland.
The loader, per Zscaler, comes fitted with a first-stage, which is chargeable for extracting and launching the second-stage from a PNG picture that is both embedded into it or downloaded individually based mostly on the malware’s configuration.
“The main purpose of the second stage is to inject the main instrumentation module,” Irfan defined. “To increase stealthiness, the second stage of the loader employs more anti-analysis techniques using multiple modules.”
Hijack Loader artifacts detected within the wild in March and April 2024 additionally incorporate as many as seven new modules to assist create new processes, carry out UAC bypass, and add a Home windows Defender Antivirus exclusion through a PowerShell command.
Including to the malware’s stealth is its use of the Heaven’s Gate approach to bypass consumer mode hooks, as beforehand disclosed by CrowdStrike in February 2024.
“Amadey has been the most commonly delivered family by HijackLoader,” Irfan stated. “The loading of the second stage involves the use of an embedded PNG image or PNG image downloaded from the web. Additionally, new modules have been integrated into HijackLoader, enhancing its capabilities and making it even more robust.”
The event comes amid malware campaigns distributing totally different malware loader households like DarkGate, FakeBat (aka EugenLoader), GuLoader through malvertising and phishing assaults.
It additionally follows the emergence of an data stealer known as TesseractStealer that is distributed by ViperSoftX and makes use of the open-source Tesseract optical character recognition (OCR) engine to extract textual content from picture information.
“The malware focuses on specific data related to credentials and cryptocurrency wallet information,” Broadcom-owned Symantec stated. “Next to TesseractStealer, some of the recent ViperSoftX runs have also been observed to drop another payload from the Quasar RAT malware family.”
