Researchers decipher the latest evasion methods


The threat actors behind a loader malware called HijackLoader have added new defense evasion techniques as the malware is increasingly used by other threat actors to deliver additional payloads and tools.

“The malware developer used a standard process excavation technique coupled with an additional trigger that was activated by the parent process writing to a pipe,” said CrowdStrike researchers Donato Onofri and Emanuele Calvelli. said in an analysis Wednesday. “This new approach has the potential to make defense evasion more stealthy.”

HijackLoader was first documented by Zscaler ThreatLabz in September 2023 and used as a conduit to deliver DanaBot, SystemBC, and RedLine Stealer. It is also known to have a high degree of similarity with another loader known as IDAT Loader.

Both chargers are found to be operated by the same cybercrime group. In the intervening months, HijackLoader has been distributed via ClearFake and deployed by TA544 (aka Narwhal Spider, Gold Essex and Ursnif Gang) to deliver Remcos RAT and SystemBC via phishing messages.

“Think of chargers as wolves in sheep’s clothing. Their goal is to sneak in, introduce and execute more sophisticated threats and tools,” said Liviu Arsene, director of threat research and reporting at CrowdStrike, in a statement shared with The Hacker News .

“This recent variant of HijackLoader (also known as IDAT Loader) steps up its stealth game by adding and experimenting with new techniques. This is akin to improving the disguise, making it more stealthy, complex and difficult to analyze. In Essentially they are ‘refining their digital camouflage.”

The starting point of the multi-stage attack chain is an executable (“streaming_client.exe”) that checks for an active Internet connection and then downloads a second-stage configuration from a remote server.

The executable then loads a legitimate dynamic-link library (DLL) specified in the configuration to activate shellcode responsible for launching the HijackLoader payload via a combination of process duplication And process hollowing techniques that increase the complexity of the analysis opportunities to avoid defense.

“The HijackLoader second-stage, position-independent shellcode then performs some evasion activities to bypass user-mode hooks using Heaven’s gate and injects the subsequent shellcode into cmd.exe,” the researchers said.

“The injection of the third stage shellcode is achieved via a variation of process excavation that results in an injected excavated mshtml.dll into the newly spawned child process cmd.exe.”

Heaven’s gate refers to a secret trick that allows malicious software to gain access bypass endpoint security products by calling 64-bit code in 32-bit processes in Windows, effectively bypassing user-mode hooks.

One of the main evasion techniques observed in HijackLoader attack sequences is the use of a process injection mechanism called executed hollowingwhich has previously been observed in malware such as the Osiris banking trojan.

“Loaders are intended as stealth launch pads for adversaries to introduce and execute more sophisticated malware and tools without burning their assets in the early stages,” Arsene said.

“Investing in new defense evasion capabilities for HijackLoader (also known as IDAT Loader) is potentially an attempt to make it stealth and fly under the radar of traditional security solutions. The new techniques signal both a deliberate and experimental evolution of existing defense evasion capabilities, while also increasing the complexity of analysis for threat researchers.”

#Researchers #decipher #latest #evasion #methods

Notify of
Inline Feedbacks
View all comments
Previous Post
Chinese Hackers

Chinese hackers have been operating undetected in US critical infrastructure for half a decade

Next Post
Android Apps

Google begins blocking sideloading of potentially dangerous Android apps in Singapore

Related Posts