Rewterz Threat Alert – HijackLoader 2.0: Deciphering Advanced Evasion Techniques – Active IOCs

Severity

High

Analysis Summary

The malware known as HijackLoader, utilized by cybercrime groups to deliver various payloads and tooling, has recently incorporated new defense evasion techniques. Employing a standard process hollowing technique along with a novel trigger activated by the parent process writing to a pipe, this updated approach enhances the malware’s ability to evade detection, potentially making its actions stealthier.

Initially documented by researchers in September 2023, HijackLoader has been observed delivering DanaBot, SystemBC, and RedLine Stealer. It shares similarities with another loader called IDAT Loader, both believed to be operated by the same cybercrime group. Recently, HijackLoader has been utilized via ClearFake by TA544 to distribute Remcos RAT and SystemBC through phishing campaigns.

The malware acts as a conduit for more sophisticated threats, operating as a wolf in sheep’s clothing. Liviu Arsene from CrowdStrike likens it to refining digital camouflage, making it stealthier and more complex to analyze. The attack chain typically begins with an executable checking for an internet connection and downloading a second-stage configuration. Subsequently, it loads a legitimate DLL specified in the configuration to execute shellcode responsible for launching the HijackLoader payload using process doppelgänging and process hollowing techniques, complicating analysis and defense evasion.

Further complicating detection, HijackLoader employs techniques like Heaven’s Gate, allowing 64-bit code to run in 32-bit processes, effectively bypassing user-mode hooks. It also utilizes a process injection mechanism called transacted hollowing, previously seen in malware like the Osiris banking trojan. These techniques aim to make the malware more elusive to traditional security solutions, signaling an intentional evolution of defense evasion capabilities.

Researchers emphasizes that loaders like HijackLoader serve as stealth launch platforms for adversaries, allowing them to introduce sophisticated malware without alerting security measures. The investment in new defense evasion capabilities indicates a deliberate effort to evade detection and increase the complexity of analysis for threat researchers.

In summary, the incorporation of advanced defense evasion techniques in HijackLoader highlights the ongoing arms race between cybercriminals and cybersecurity professionals, underscoring the need for continual vigilance and adaptive security measures to mitigate evolving threats.

Impact

• Cyber Espionage
• Exposure to Sensitive Data
• Financial Loss

Indicators of Compromise

MD5

• 9120525f9a007e2487301070745af67e

SHA-256

• 6f345b9fda1ceb9fe4cf58b33337bb9f820550ba08ae07c782c2e142f7323748

SHA-1

• 2df57c96326d983e2d9f0ab21fad9be9bb2fe4ea

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.