“HijackLoader, a recently emerged malware loader, is rapidly gaining popularity within the cybercriminal community for distributing a range of payloads, which include DanaBot, SystemBC, and RedLine Stealer.”
More about HijackLoader
In July 2023, our company initially detected the HijackLoader Modular Malware Loader, a sophisticated threat that employs multiple evasion techniques.
These tactics encompass the utilization of syscalls to evade security solution detection, the monitoring of processes associated with security software using an internal block list, and the deliberate delay of code execution for up to 40 seconds at different stages.
Regrettably, the precise initial access vector employed to breach targets remains undisclosed. The loader incorporates a primary monitoring module that provides versatility for code input and execution through its integrated modules.
“HijackLoader is a modular loader with evasion techniques, offering multiple ways to load malicious payloads,” Pantazopoulos explained. “Additionally, it lacks advanced features and has low-quality code.”
The disclosure coincides with Flashpoint’s release of information regarding an enhanced version of malware called RisePro, which was formerly disseminated through a pay-per-install (PPI) malware download service called PrivateLoader.
Written in C++, RisePro is crafted to gather sensitive data from compromised systems and transmit it to a command-and-control (C&C) server as log files. It was initially made available for purchase in December 2022.
Additionally, a new Node.js-based information stealer, delivered through malicious ads on Facebook, fake websites mimicking ByteDance’s CapCut video editor, has been uncovered.
This marks the second instance of counterfeit CapCut websites being used as a conduit for malware distribution. In May 2023, Cyble detected two distinct attack chains that leveraged the software as bait to deceive unsuspecting users into executing Stealer Offx and Red Line Stealer.
“The Python-based malware employs Pyinstaller for packing, enabling the consolidation of all malicious code and its prerequisites into a single executable,” as stated by Cyfirma. “This information-stealing malware primarily targets Windows Defender, disabling it, altering its configurations, and establishing its own threat response protocols.”
“It further strives to minimize its detectability while securing a persistent presence on the compromised system. The malware demonstrates adeptness in data theft and exfiltration, effectively eluding security tools and dynamic analysis sandboxes.”
Indicators of Compromise (IOCs)
| SHA256 Hash | DESCRIPTION |
|---|---|
| 7bd39678ac3452bf55359b44c5192b79412ce61a82cd72eef88f91aba5792ee6 | HijackLoader |
| 6b1621bded06b082f83c731319c9deb2fdf751a4cec1d1b2b00ab9e75f4c29ca | HijackLoader |
| e67790b394f5238908fcc326a9db940b200d9b50cbb45f0bfa94038db50beeae | HijackLoader |
| 693cace37b4b6fed2ca67906c7a4b1c11273110561a207a222aa4e62fb4a184a | HijackLoader |
| 04c0a4f3b5f787a0c9fa8f6d8ef19e01097185dd1f2ba40ae4bbbeca9c3a1c72 | HijackLoader |
| IOC | DESCRIPTION |
|---|---|
| hxxps://www.4sync[.]com/web/directDownload/KFtZysVO/4jBKM7R0.baa89a7b43a7b73227f22ae561718f7f | Payload URL, which HijackLoader uses to load Danabot. |
| hxxps://geupdate-service[.]bond/img/3344379399.png | Payload URL, which HijackLoader uses to load RedLine stealer. |
Leave A Comment