A newer variation of a malware loader known as Hijack Loader has been observed incorporating an up-to-date established of anti-assessment strategies to fly less than the radar.
“These enhancements intention to raise the malware’s stealthiness, thus remaining undetected for extended periods of time,” Zscaler ThreatLabz researcher Muhammed Irfan V A reported in a complex report.
“Hijack Loader now includes modules to include an exclusion for Windows Defender Antivirus, bypass Consumer Account Command (UAC), evade inline API hooking that is generally utilised by security software package for detection, and hire approach hollowing.”
Hijack Loader, also referred to as IDAT Loader, is a malware loader that was 1st documented by the cybersecurity corporation in September 2023. In the intervening months, the software has been utilized as a conduit to supply various malware households.
This features Amadey, Lumma Stealer (aka LummaC2), Meta Stealer, Racoon Stealer V2, Remcos RAT, and Rhadamanthys.
What will make the most recent version noteworthy is the actuality that it decrypts and parses a PNG image to load the future-phase payload, a technique that was first detailed by Morphisec in connection with a marketing campaign targeting Ukrainian entities based in Finland.
The loader, per Zscaler, comes fitted with a 1st-phase, which is liable for extracting and launching the 2nd-phase from a PNG impression that is both embedded into it or downloaded independently primarily based on the malware’s configuration.
“The major goal of the next phase is to inject the primary instrumentation module,” Irfan stated. “To increase stealthiness, the next phase of the loader employs far more anti-analysis tactics applying a number of modules.”
Hijack Loader artifacts detected in the wild in March and April 2024 also incorporate as quite a few as seven new modules to help produce new procedures, execute UAC bypass, and include a Windows Defender Antivirus exclusion via a PowerShell command.
Introducing to the malware’s stealth is its use of the Heaven’s Gate system to circumvent consumer method hooks, as previously disclosed by CrowdStrike in February 2024.
“Amadey has been the most typically sent family by HijackLoader,” Irfan explained. “The loading of the second phase entails the use of an embedded PNG image or PNG graphic downloaded from the web. Furthermore, new modules have been integrated into HijackLoader, maximizing its abilities and building it even far more robust.”
The advancement will come amid malware campaigns distributing various malware loader people like DarkGate, FakeBat (aka EugenLoader), GuLoader by means of malvertising and phishing attacks.
It also follows the emergence of an data stealer referred to as TesseractStealer that is dispersed by ViperSoftX and makes use of the open up-source Tesseract optical character recognition (OCR) engine to extract text from graphic data files.
“The malware focuses on unique information linked to credentials and cryptocurrency wallet data,” Broadcom-owned Symantec mentioned. “Future to TesseractStealer, some of the modern ViperSoftX operates have also been noticed to drop one more payload from the Quasar RAT malware relatives.”
Observed this write-up interesting? Observe us on Twitter and LinkedIn to study extra exceptional content we write-up.
Some parts of this article are sourced from:
thehackernews.com