Threat Research

HijackLoader Expands Techniques to Improve Defense Evasion

Crowdstrike

CrowdStrike analyzed a HijackLoader sample that uses layered evasion and injection techniques—including interactive process hollowing, transacted section (doppelgänging) hollowing, and Heaven’s Gate-based unhooking—to deliver a final Cobalt Strike beacon. CrowdStrike’s Falcon platform can detect this loader early using machine learning and behavior-based IOAs. #HijackLoader #CobaltStrike

Keypoints

  • First-stage binary (streaming_client.exe) deobfuscates an embedded config, dynamically resolves APIs via PEB_LDR_DATA, and checks connectivity using WinHTTP to nginx.org with fallback image-hosting URLs.
  • The second-stage config is located inside a PNG-like blob, identified by a magic C6 A5 79 EA and XOR-decrypted (key 32 B3 21 A5), then LZNT1-decompressed via RtlDecompressBuffer.
  • Malware reflectively loads a legitimate DLL (mshtml.dll), writes position-independent shellcode into its .text section, and uses Heaven’s Gate to bypass user-mode hooks and remap x64 ntdll to unhook monitored functions.
  • Injection into cmd.exe uses an interactive process hollowing variation: pipes for STDIN/STDOUT, mapping mshtml.dll via a shared section, stomping .text with shellcode, and triggering execution by writing to STDIN rather than creating a suspended process.
  • Final payload placement uses a transacted section (transacted hollowing/process doppelgänging) to stealthily host the payload in logagent.exe, followed by DLL hollowing and a fourth-stage shellcode that performs additional unhooking before executing Cobalt Strike.
  • Techniques rely heavily on native syscalls (Nt* APIs) invoked via Heaven’s Gate and runtime primitives like NtCreateSection, NtMapViewOfSection, NtWriteVirtualMemory, NtGetContextThread/NtSetContextThread, and NtResumeThread.

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – The sample is a backdoored executable used for initial execution (‘The sample is a backdoored version of streaming_client.exe, with the Entry Point redirected to a malicious stub.’)
  • [T1027.007] Obfuscated Files or Information: Dynamic API Resolution – Hides imports by parsing PEB->PEB_LDR_DATA to resolve kernel32/ntdll functions at runtime (‘HijackLoader and its stages hide some of the important imports from the IAT by dynamically retrieving kernel32 and ntdll API addresses.’)
  • [T1016.001] System Network Configuration Discovery: Internet Connection Discovery – Uses WinHTTP to verify internet connectivity and retrieve stage resources (‘connects to a remote server to check if the machine is connected to the internet by using the WinHttp API’)
  • [T1140] Deobfuscate/Decode Files or Information – Uses XOR decryption and RtlDecompressBuffer (COMPRESSION_FORMAT_LZNT1) to decode and decompress the downloaded configuration (‘search for the magic value C6 A5 79 EA … used to decrypt the rest of the configuration blob’ and ‘configuration undergoes decompression using the RtlDecompressBuffer API with COMPRESSION_FORMAT_LZNT1’)
  • [T1027] Obfuscated Files or Information – Drops XOR-encrypted files to %APPDATA% to store stages (‘HijackLoader drops XOR encrypted files to the %APPDATA% subfolders to store the downloaded stages.’)
  • [T1620] Reflective Code Loading – Reflectively loads shellcode by loading and stomping mshtml.dll and writing shellcode into its .text section (‘reflectively loads the downloaded shellcode in the running process by loading and stomping the mshtml.dll module’)
  • [T1106] Native API – Uses direct syscalls and numerous Nt*/Native APIs for bypass and injection (‘HijackLoader uses direct syscalls and the following APIs … NtDelayExecution, RtlDecompressBuffer, NtProtectVirtualMemory, NtWriteVirtualMemory, NtResumeThread, NtSuspendThread, NtGetContextThread, NtSetContextThread, NtCreateTransaction, NtMapViewOfSection, NtUnMapViewofSection, NtWriteFile, NtReadFile …’)
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Bypasses user-mode hooks via Heaven’s Gate and remaps x64 ntdll to remove hooks (‘HijackLoader and its stages use Heaven’s Gate and remap x64 ntdll to bypass user space hooks.’)
  • [T1055.012] Process Injection: Process Hollowing – Implements a hollowing variation to inject shellcode into cmd.exe and logagent.exe (‘HijackLoader and its stages implement a process hollowing technique variation to inject in cmd.exe and logagent.exe.’)
  • [T1055.013] Process Injection: Process Doppelgänging – Uses transacted section/doppelgänging combined with hollowing to stealthily host the final payload (‘The HijackLoader shellcode implements a process doppelgänging technique variation (transacted section hollowing) to load the final stage in logagent.exe.’)

Indicators of Compromise

  • [Domains/URLs] download and staging hosts – https[:]//nginx[.]org (connectivity check), https[:]//gcdnb[.]pbrd[.]co/images/62DGoPumeB5P.png?o=1, https[:]//i[.]imgur[.]com/gyMFSuy.png (fallbacks)
  • [File names / Paths] deployed binaries and DLLs – streaming_client.exe (first-stage), C:WindowsSysWOW64mshtml.dll (stomped legitimate DLL), C:Windowssystem32ntdll.dll (read for unhooking)
  • [Process names] targets for injection – cmd.exe (interactive hollowing), logagent.exe (final host for payload)
  • [Hashes] dropped or spawned executable – c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8 (logagent.exe sample hash)

The infection begins with a backdoored streaming_client.exe that extracts a buried configuration and dynamically resolves APIs from PEB_LDR_DATA to resist static analysis. The loader verifies internet connectivity with WinHTTP (initially to nginx[.]org, then to multiple image-hosting URLs), extracts a PNG-like blob, locates the magic value C6 A5 79 EA followed by an XOR key (32 B3 21 A5), XOR-decrypts the buffer, and then decompresses it using RtlDecompressBuffer with COMPRESSION_FORMAT_LZNT1. A legitimate Windows DLL (mshtml.dll) is read and mapped so that position-independent second-stage shellcode can be written into its .text section and executed reflectively.

Runtime evasion and injection rely on native syscalls invoked via Heaven’s Gate to bypass user-mode hooks and to perform memory and process manipulation. The loader sets up an interactive hollowing into cmd.exe by creating pipes redirected to the child process, mapping mshtml.dll into the remote address space via a shared section (NtCreateSection / NtMapViewOfSection), using NtProtectVirtualMemory and NtWriteVirtualMemory to overwrite the .text with shellcode, and then altering the remote thread CONTEXT (NtGetContextThread / NtSetContextThread) to point execution to the injected code. Instead of creating the child suspended, the technique leaves cmd.exe blocked on an NtReadFile waiting for STDIN; the parent resumes execution by writing data to the STDIN pipe (WriteFile), which causes the syscall to return and execution to resume at the modified instruction pointer—triggering the shellcode without an obvious suspended/resume sequence.

For the final payload, the chain uses a transacted section-based (doppelgänging) hollowing: the third-stage shellcode creates a transaction (NtCreateTransaction / RtlSetCurrentTransaction), writes the payload into a transacted file via NtWriteFile, creates a section from that file (NtCreateSection), rolls back the transaction (NtRollbackTransaction) to hide the backing file, and maps the section into a suspended logagent.exe at its original base (unmap/remap via NtUnMapViewOfSection and NtMapViewOfSection). A subsequent mshtml.dll hollowing writes a fourth-stage shellcode that performs additional unhooking (remapping x64 ntdll via NtWriteVirtualMemory / NtProtectVirtualMemory) before handing execution to the final Cobalt Strike beacon.

Read more: https://www.crowdstrike.com/blog/hijackloader-expands-techniques/