New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World
11.9.23 Virus The Hacker News
A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer.
"Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have," Zscaler ThreatLabz researcher Nikolaos Pantazopoulos said.
First observed by the company in July 2023, the malware employs a number of techniques to fly under the radar. This involves using syscalls to evade monitoring from security solutions, monitoring processes associated with security software based on an embedded blocklist, and putting off code execution by as much as 40 seconds at different stages.
The exact initial access vector used to infiltrate targets is currently not known. The anti-analysis aspects notwithstanding, the loader packs in a main instrumentation module that facilitates flexible code injection and execution using embedded modules.
Persistence on the compromised host is achieved by creating a shortcut file (LNK) in the Windows Startup folder and pointing it to a Background Intelligent Transfer Service (BITS) job.
"HijackLoader is a modular loader with evasion techniques, which provides a variety of loading options for malicious payloads," Pantazopoulos said. "Moreover, it does not have any advanced features and the quality of the code is poor."
The disclosure comes as Flashpoint disclosed details of an updated version of an information-stealing malware known as RisePro that was previously distributed via a pay-per-install (PPI) malware downloader service dubbed PrivateLoader.
"The seller claimed in their ads that they have taken the best aspects of 'RedLine' and 'Vidar' to make a powerful stealer," Flashpoint noted. "And this time, the seller also promises a new advantage for users of RisePro: customers host their own panels to ensure logs are not stolen by the sellers."
RisePro, written in C++, is designed to harvest sensitive information on infected machines and exfiltrate it to a command-and-control (C&C) server in the form of logs. It was first offered for sale in December 2022.
It also follows the discovery of a new information stealer written in Node.js that's packaged into an executable and distributed via malicious Large Language Model (LLM)-themed Facebook ads and bogus websites impersonating ByteDance's CapCut video editor.
"When the stealer is executed, it runs its main function that steals cookies and credentials from several Chromium-based web browsers, then exfiltrates the data to the C&C server and to the Telegram bot," security researcher Jaromir Horejsi said.
"It also subscribes the client to the C&C server running GraphQL. When the C&C server sends a message to the client, the stealing function will run again." Targeted browsers include Google Chrome, Microsoft Edge, Opera (and OperaGX), and Brave.
This is the second time fake CapCut websites have been observed delivering stealer malware. In May 2023, Cyble uncovered two different attack chains that leveraged the software as a lure to trick unsuspecting users into running Offx Stealer and RedLine Stealer.
The developments paint a picture of a constantly evolving cybercrime ecosystem, with stealer infections acting as a primary initial attack vector used by threat actors to infiltrate organizations and conduct post-exploitation actions.
It's therefore not surprising that threat actors are jumping on the bandwagon to spawn new stealer malware strains such as Prysmax that incorporate a Swiss Army knife of functionalities that enable their customers to maximize their reach and impact.
"The Python-based malware is packed using Pyinstaller, which can be used to bundle the malicious code and all its dependencies into a single executable," Cyfirma said. "The information stealing malware is focused on disabling Windows Defender, manipulating its settings, and configuring its own response to threats."
"It also attempts to reduce its traceability and maintain a foothold on the compromised system. The malware appears to be well-designed for data theft and exfiltration, while evading detection by security tools as well as dynamic analysis sandboxes."