Analysis Summary

The evolving threat landscape of malware loaders is exemplified by the latest iteration of Hijack Loader, also known as IDAT Loader, which has been observed implementing advanced anti-analysis techniques to evade detection and improve stealth.

According to researchers, recent enhancements to Hijack Loader include capabilities to bypass Windows Defender Antivirus circumvent User Account Control (UAC), evade inline API hooking used by security software, and employ process hollowing. Notably, this loader now employs a novel method of decrypting and parsing PNG images to load subsequent payloads, a technique previously associated with campaigns targeting Ukrainian entities in Finland.

This loader consists of a multi-stage process, with the initial stage responsible for extracting and executing the second-stage payload from an embedded or separately downloaded PNG image based on the malware's configuration. The second stage's primary role is to inject the main instrumentation module while employing additional anti-analysis techniques to enhance stealth.

Recent variants of Hijack Loader detected by researchers in March and April 2024 incorporate up to seven new modules aimed at creating new processes, bypassing UAC, and implementing Windows Defender Antivirus exclusions using PowerShell commands. Furthermore, the malware utilizes the Heaven's Gate technique to bypass user-mode hooks, a method previously disclosed by CrowdStrike.

Hijack Loader has predominantly delivered the Amadey malware family leveraging embedded or downloaded PNG images for second-stage loading. This development occurs against a backdrop of varied malware campaigns distributing different loader families such as DarkGate, FakeBat (EugenLoader), and GuLoader through malvertising and phishing attacks.