430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New HijackLoader malware is rapidly growing in popularity in the cybercrime community

Zscaler ThreatLabz detailed a new malware loader, named HijackLoader, which has grown in popularity over the past few months HijackLoader is a loader that is gaining popularity among the cybercriminal community. The malware is not sophisticated, however, unlike other loaders, it has a modular structure that allows supporting code injection and execution. The HijackLoader is […]

Info-Stealing attacks

Zscaler ThreatLabz detailed a new malware loader, named HijackLoader, which has grown in popularity over the past few months

HijackLoader is a loader that is gaining popularity among the cybercriminal community. The malware is not sophisticated, however, unlike other loaders, it has a modular structure that allows supporting code injection and execution. The HijackLoader is being used to load different malware families such as Danabot, SystemBC and RedLine Stealer.

The loader was first observed by the security firm July 2023, the researchers noticed that the threat employs a number of evasion techniques such as the use of syscalls.

“HijackLoader utilizes syscalls to evade monitoring from security solutions, detects specific processes based on an embedded blocklist, and delays code execution at different stages.” reads the report published by Zscaler. “The malware uses embedded modules that facilitate flexible code injection and execution – a feature uncommon among traditional loaders.”

The experts have yet to determine the initial access vector, upon execution, HijackLoader executes a modified (hooked) function of the Windows C Runtime (CRT), which points to the entry point of the first stage.

The loader determines if the final payload has been embedded in the binary or if it has to download it from an external server.

The malware maintains persistence by creating a shortcut file (LNK) in the Windows Startup folder and pointing it to a Background Intelligent Transfer Service (BITS) job that points to the executable file.

The Anti-Analysis features implemented in the first stage include the following set of evasion techniques:

  • Dynamic loading of Windows API functions by leveraging a custom API hashing technique.
  • Performing an HTTP connectivity test to a legitimate website (e.g. mozilla.org). If a connection cannot be made, then HijackLoader does not proceed with the execution and enters an infinite loop until a connection is made.
  • Delaying of code execution at different stages.
  • The first stager checks for the presence of a set of running processes. Depending on which ones are present, it executes different functionality. In Table 1, we summarize the corresponding functionality for each process.

Zscaler concludes that despite the poor quality of the code, the increasing popularity of HijackLoader can bring future improvements and further usage from more threat actors.

“In summary, HijackLoader is a modular loader with evasion techniques, which provides a variety of loading options for malicious payloads. Moreover, it does not have any advanced features and the quality of the code is poor.” concludes the report. “However, considering the increasing popularity of HijackLoader, we expect code improvements and further usage from more threat actors, especially to fill the void left by Emotet and Qakbot.”

Zscaler also published Indicators of Compromise (IOCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)