The HijackLoader malware has incorporated additional defense evasion tactics. Increasingly, other threat actors are leveraging this malware for delivering payloads and tooling. The developer employed a standard process hollowing technique alongside a trigger to enhance the stealthiness of defense evasion.
WHAT IS HIJACKLOADER?
HijackLoader is a type of malware known for its ability to evade detection by security measures and its capability to deliver malicious payloads and tools. It often employs techniques like process hollowing to execute its malicious activities stealthily.
Initially observed in July 2023, HijackLoader employs various techniques to evade detection. Despite not being highly advanced, it boasts a modular architecture, allowing it to utilize different modules for code injection and execution—an uncommon feature among loaders.
The loader retrieves an encrypted configuration block, which differs from one sample to another, indicating that threat actors can swiftly change or update it. This adaptability renders it a formidable adversary, posing challenges in developing effective countermeasures.
HIJACKLOADER ENHANCED DETECTION EVASION TECHNIQUES
HijackLoader employs a sophisticated infection chain, employing multi-stage behavior to obscure its activities. Initially, the malware leverages WinHTTP APIs to verify an active internet connection before proceeding with its malicious operations. Upon establishing connectivity, it downloads a second-stage configuration blob from a remote address, initiating decryption and decompression processes to retrieve critical payloads.
Subsequent stages involve loading legitimate Windows DLLs specified in the configuration blob, followed by the execution of position-independent shellcode.
The shellcode orchestrates a range of evasion activities, including injecting subsequent payloads into child processes like cmd.exe and logagent.exe. HijackLoader employs advanced hook bypass methods, such as Heaven’s Gate, to evade user mode hooks and security monitoring. Additionally, it utilizes process hollowing, injecting malicious shellcode into legitimate processes to achieve persistence.
The malware employs interactive and transacted hollowing techniques to enhance stealthiness. These new defense evasion capabilities for HijackLoader may render it more resilient and sophisticated to detect compared to traditional security solutions.
SAFETY RECOMMENDATIONS
To safeguard against HijackLoader and other malware, we advise implementing the following cybersecurity measures:
- Stay Informed: Educate yourself about the latest malware threats, as they continuously evolve to deceive users into divulging sensitive information or downloading malicious files. It’s crucial to inform users about these threats and stress the importance of avoiding opening suspicious attachments or clicking on dubious links in cybersecurity.
- Update Software Regularly: Ensure your operating system, applications, and software are regularly updated to their latest versions. Malware often exploits known vulnerabilities that have been patched in newer versions.
- Use Anti-Malware Software: Employ reputable anti-malware software and keep it updated. These programs can detect and remove known malware strains, including variants of HijackLoader, providing an additional layer of protection against threats.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment