On 6 May 2024, Zscaler researchers reported that the prevalent HijackLoader (also known as IDAT Loader) has been updated with new detection and analysis evasion techniques.
Context and Technical Details
According to Zscaler researchers, “HijackLoader now includes modules to add an exclusion for Windows Defender Antivirus, bypass User Account Control (UAC), evade inline API hooking that is often used by security software for detection, and employ process hollowing.
In addition, HijackLoader’s delivery method involves the use of a PNG image, which is decrypted and parsed to load the next stage of the attack.”
Key takeaways from the report include:
- “HijackLoader is a modular malware loader that is used to deliver second stage payloads including Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT.
- HijackLoader decrypts and parses a PNG image to load the next stage.
- HijackLoader now contains the following new modules: modCreateProcess, modCreateProcess64, WDDATA, modUAC, modUAC64, modWriteFile, and modWriteFile64.
- HijackLoader has additional features like dynamic API resolution, blocklist process checking, and user mode hook evasion using Heaven’s Gate.
- ThreatLabz researchers created a Python script to decrypt and decompress the second stage and extract all HijackLoader modules.”
Community Impact
According to Zscaler researchers, during March and April 2024, “HijackLoader has emerged as a significant threat, delivering multiple malware families such as Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT.” Amadey and Remcos RAT are among the top malware reported by the RH-ISAC member community, as will be shown in the upcoming RH-ISAC Community Insights for the Verizon 2024 Data Breach Investigation Report. Additionally, Lumma Stealer and Racoon Stealer v2 are reported regularly by the community, but not at a prevalence that qualifies them as top threats.
The RH-ISAC intelligence team assesses with a high degree of confidence that HijackLoader presents a moderate threat to organizations in the retail, hospitality, and travel communities because its role in facilitating the delivery of prominent malware seen by the community. As such, organizations are advised to review the analysis script, indicators of compromise (IOCs), and MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs).
Analysis
Zscaler researchers provided a python script for decrypting and decompressing “HijackLoader’s second stage, providing access to all of the modules”
IOCs
Zscaler researchers provided the following IOCs:
Host Indicators
Type | Indicator(s) | Description |
SHA256 | 7a8db5d75ca30164236d2474a4719046a7814a4411cf703ffb702bf6319939d7 d95e82392d720911f7eb5d8856b8ccd2427e51645975cdf8081560c2f6967ffb’ fcadcee5388fa2e6d4061c7621bf268cb3d156cb879314fa2f518d15f5fa2aa2 f37b158b3b3c6ef9f6fe08d0056915fc7e5a220d1dabb6a2b62364ae54dca0f1 e0a4f1c878f20e70143b358ddaa28242bac56be709b5702f3ad656341c54fb76 cf42af2bdcec387df84ba7f8467bbcdad9719df2c524b6c9b7fffa55cfdc8844 c215c0838b1f8081a11ff3050d12fcfe67f14442ed2e18398f0c26c47931df44 9b15cb2782f953090caf76efe974c4ef8a5f28df3dbb3eff135d44306d80c29c 56fd2541a36680249ec670d07a5682d2ef5a343d1feccbcf2c3da86bd546af85 1fbf01b3cb97fda61a065891f03dca7ed9187a4c1d0e8c5f24ef0001884a54da | HijackLoader malware which uses an embedded PNG |
Network Indicators
Type | Indicator | Description |
URL | hxxp://discussiowardder[.]website/api | LummaStealer C2 |
TTPS
Zscaler researchers provided the following TTPs:
ID | Technique Name |
TA0002 | Execution |
T1547.001 | Boot or Logon Autostart Execution Registry Run Keys / Startup Folder |
T1548.001 | Abuse Elevation Control Mechanism |
T1027.007 | Dynamic API Resolution |
T1140 | Deobfuscate/Decode Files or Information |
T1055 | Process Injection |
T1620 | Reflective Code Loading |
T1562.001 | Impair Defenses: Disable or Modify Tools |
T1057 | Process Discovery |
