The threat actors behind a malware called loader HijackLoader have added new techniques to evade the defense, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tools.
“The malware developer used a standard process flushing technique coupled with an additional trigger that was fired by the parent process writing to a pipe,” CrowdStrike researchers Donato Onofri and Emanuele Calvelli said in an analysis on Wednesday. “This new approach has the potential to make defense evasion more stealthy.”
HijackLoader was first documented by Zscaler ThreatLabz in September 2023 as being used as a conduit to deliver DanaBot, SystemBC, and RedLine Stealer. It is also known to share a high degree of similarity with another loader known as the IDAT Loader.
Both uploaders are believed to be operated by the same cybercrime group. In the following months, HijackLoader was propagated via ClearFake and used by TA544 (aka Narwhal Spider, Gold Essex, and Ursnif Gang) to deliver Remcos RAT and SystemBC via phishing messages.
“Think of shippers as wolves in sheep’s clothing. Their purpose is to sneak in, introduce and execute more sophisticated threats and tools,” said Liviu Arsene, director of threat research and reporting at CrowdStrike, in a statement shared with The Hacker News .
“This recent variant of HijackLoader (aka IDAT Loader) steps up its stealth game by adding and experimenting with new techniques. This is similar to improving its disguise, making it stealthier, more complex and more difficult to analyze. In essence, they are perfecting the their digital camouflage.”
The starting point of the multi-stage attack chain is an executable (“streaming_client.exe”) that checks for an active Internet connection and proceeds to download a second-stage configuration from a remote server.
The executable then loads a legitimate dynamic link library (DLL) specified in the configuration to trigger the shellcode responsible for launching the HijackLoader payload via a combination of doppelgänging and process flushing techniques that increase the complexity of the analysis and the capabilities of defense evasion.
“The second-stage, location-independent shellcode of HijackLoader then performs some evasion tasks to bypass user-mode hooks using Heaven’s Gate and inserts subsequent shellcode into cmd.exe,” the researchers said.
“Third-stage shellcode injection is performed via a variation of process emptying that results in an emptied mshtml.dll injected into the newly spawned cmd.exe child process.”
Heaven’s Gate refers to a stealthy trick that allows malicious software to evade endpoint security products by invoking 64-bit code in 32-bit processes in Windows, effectively bypassing user mode hooks.
One of the main evasion techniques observed in HijackLoader attack sequences is the use of a process injection mechanism called “transacted flushing,” previously observed in malware such as the Osiris banking Trojan.
“Loaders are meant to act as stealth launch pads to allow adversaries to introduce and execute more sophisticated malware and tools without burning their resources in the early stages,” Arsene said.
“Investing in new defense evasion capabilities for HijackLoader (also known as IDAT Loader) is potentially an attempt to make it more stealthy and fly below the radar of traditional security solutions. The new techniques signal an evolution that is both deliberate and experimental of existing defense evasion capabilities, but also increasing the complexity of the analysis for threat researchers.”