New modular malware loader HijackLoader is making waves in the world of cybercrime
A new malware loader called HijackLoader is gaining traction among the cybercriminal community for delivering various payloads such as DanaBotSystemBC and RedLine Stealer.
“Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution because it uses a modular architecture, a feature that most loaders do not have” , said Nikolaos Pantazopoulos, researcher at Zscaler ThreatLabz. said.
First observed by the company in July 2023, the malware uses a number of techniques to go unnoticed. This involves using system calls to evade monitoring of security solutions, monitoring processes associated with security software based on a built-in blocklist, and delaying code execution for up to 40 seconds at different stages.
The exact initial access vector used to infiltrate targets is currently unknown. Despite the anti-scanning aspects, the loader is integrated into a core instrumentation module that facilitates flexible injection and execution of code using embedded modules.
Persistence on the compromised host is achieved by creating a shortcut (LNK) file in the Windows Startup folder and pointing it to a background intelligent transfer service (PARTS) job.
“HijackLoader is a modular loader with evasion techniques, which provides a variety of loading options for malicious payloads,” Pantazopoulos said. “Also, it doesn’t have any advanced features and the code quality is poor.”
The disclosure comes as Flashpoint leaked details of an updated version of information-stealing malware known as RisePro, which was previously distributed through an install-on-install malware download service ( PPI) called PrivateLoader.
“The seller claimed in its advertisements that it took the best aspects of ‘RedLine’ and ‘Vidar’ and made it into a powerful thief,” Flashpoint note. “And this time, the seller is also promising a new benefit to RisePro users: customers host their own panels to ensure logs are not stolen by sellers.”
RisePro, written in C++, is designed to collect sensitive information from infected machines and exfiltrate it to a command and control (C&C) server in the form of logs. It was first offered for sale in December 2022.
This also follows the discovery of a new information stealer written in Node.js, embedded in an executable and distributed via a Large Language Model (LLM) themed malware model. Facebook Ads and fake websites pretending to be ByteDance’s CapCut video editor.
“When the thief is executed, it performs its main function which steals cookies and credentials from multiple Chromium-based web browsers and then exfiltrates the data to the C&C server and to the Telegram bot,” the researcher said. security Jaromir Horejsi. said.
“It also subscribes the client to the C&C server running GraphQL. When the C&C server sends a message to the client, the steal function will run again.” Targeted browsers include Google Chrome, Microsoft Edge, Opera (and OperaGX), and Brave.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
This is the second time that fake CapCut websites have been observed spreading thief malware. In May 2023, Cyble discovered two different attack chains that exploited the software as a lure to trick unsuspecting users into running Offx Stealer and RedLine Stealer.
The developments paint a picture of a constantly evolving cybercrime ecosystem, with rogue infections acting as the primary initial attack vector used by threat actors to infiltrate organizations and carry out post-exploitation actions.
So it’s no surprise that bad actors are jumping on the bandwagon to create new strains of thief malware, such as Prysmax, that incorporate a Swiss army knife of features to help their clients maximize their reach and impact.
“Python-based malware is packaged using Pyinstaller, which can be used to package malicious code and all its dependencies into a single executable,” Cyfirma said. “The information-stealing malware focuses on disabling Windows Defender, manipulating its settings, and configuring its own threat response.”
“It also attempts to reduce its traceability and maintain a foothold on the compromised system. The malware appears to be well designed for data theft and exfiltration, while evading detection by security tools as well as bins dynamic analysis sand.”
