HijackLoader Updated with New Evasion Techniques

Researchers reported that the prevalent HijackLoader (also known as IDAT Loader) has been updated with new detection and analysis evasion techniques.

On 6 May 2024, Zscaler researchers reported that the prevalent HijackLoader (also known as IDAT Loader) has been updated with new detection and analysis evasion techniques.

Context and Technical Details

According to Zscaler researchers, “HijackLoader now includes modules to add an exclusion for Windows Defender Antivirus, bypass User Account Control (UAC), evade inline API hooking that is often used by security software for detection, and employ process hollowing.

In addition, HijackLoader’s delivery method involves the use of a PNG image, which is decrypted and parsed to load the next stage of the attack.”

Key takeaways from the report include:

  • “HijackLoader is a modular malware loader that is used to deliver second stage payloads including Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT.
  • HijackLoader decrypts and parses a PNG image to load the next stage.
  • HijackLoader now contains the following new modules: modCreateProcess, modCreateProcess64, WDDATA, modUAC, modUAC64, modWriteFile, and modWriteFile64.
  • HijackLoader has additional features like dynamic API resolution, blocklist process checking, and user mode hook evasion using Heaven’s Gate.
  • ThreatLabz researchers created a Python script to decrypt and decompress the second stage and extract all HijackLoader modules.”

Community Impact

According to Zscaler researchers, during March and April 2024, “HijackLoader has emerged as a significant threat, delivering multiple malware families such as Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT.” Amadey and Remcos RAT are among the top malware reported by the RH-ISAC member community, as will be shown in the upcoming RH-ISAC Community Insights for the Verizon 2024 Data Breach Investigation Report. Additionally, Lumma Stealer and Racoon Stealer v2 are reported regularly by the community, but not at a prevalence that qualifies them as top threats.

The RH-ISAC intelligence team assesses with a high degree of confidence that HijackLoader presents a moderate threat to organizations in the retail, hospitality, and travel communities because its role in facilitating the delivery of prominent malware seen by the community. As such, organizations are advised to review the analysis script, indicators of compromise (IOCs), and MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs).

Analysis

Zscaler researchers provided a python script for decrypting and decompressing “HijackLoader’s second stage, providing access to all of the modules”

IOCs

Zscaler researchers provided the following IOCs:

Host Indicators

Type

Indicator(s)

Description

SHA256

7a8db5d75ca30164236d2474a4719046a7814a4411cf703ffb702bf6319939d7

d95e82392d720911f7eb5d8856b8ccd2427e51645975cdf8081560c2f6967ffb’

fcadcee5388fa2e6d4061c7621bf268cb3d156cb879314fa2f518d15f5fa2aa2

f37b158b3b3c6ef9f6fe08d0056915fc7e5a220d1dabb6a2b62364ae54dca0f1

e0a4f1c878f20e70143b358ddaa28242bac56be709b5702f3ad656341c54fb76

cf42af2bdcec387df84ba7f8467bbcdad9719df2c524b6c9b7fffa55cfdc8844

c215c0838b1f8081a11ff3050d12fcfe67f14442ed2e18398f0c26c47931df44

9b15cb2782f953090caf76efe974c4ef8a5f28df3dbb3eff135d44306d80c29c

56fd2541a36680249ec670d07a5682d2ef5a343d1feccbcf2c3da86bd546af85

1fbf01b3cb97fda61a065891f03dca7ed9187a4c1d0e8c5f24ef0001884a54da

HijackLoader malware which uses an embedded PNG
to load the next stage.
 


Network Indicators

Type

Indicator

Description

URL

hxxp://discussiowardder[.]website/api

LummaStealer C2

 

TTPS

Zscaler researchers provided the following TTPs:

ID

Technique Name

TA0002

Execution

T1547.001

Boot or Logon Autostart Execution 

Registry Run Keys / Startup Folder

T1548.001

Abuse Elevation Control Mechanism

T1027.007

Dynamic API Resolution

T1140

Deobfuscate/Decode Files or Information

T1055

Process Injection

T1620

Reflective Code Loading

T1562.001

Impair Defenses: Disable or Modify Tools

T1057

Process Discovery

 

More Recent Blog Posts