Threat Research

HijackLoader | Malware Trends Tracker

Securonix

HijackLoader is a modular loader with strong evasion capabilities, capable of delivering persistent payloads such as DanaBot and RedLine. It commonly enters systems via phishing emails and employs techniques like a modified Windows CRT, network checks, delayed execution, dynamic API loading, and a security-aware AVDATA module to tailor its behavior. #HijackLoader #DanaBot #RedLine #ANYRUN #Phonk

Keypoints

  • HijackLoader is a modular loader that evades detection while delivering payloads such as DanaBot and RedLine.
  • The malware commonly enters via phishing emails, with real-world examples like hotel staff receiving infected attachments.
  • Its modular design enables flexible deployment and execution of final payloads on infected hosts.
  • Strong evasion techniques include a modified Windows CRT function, internet connectivity checks, delayed execution, and dynamic API loading with hashing.
  • The AVDATA module identifies installed security software and adjusts its behavior accordingly.
  • Execution flow can be simple yet stealthy (CMD usage and MSBuild to download Phonk and the miner), with recommendations to analyze in sandbox environments like ANY.RUN.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Initial access via phishing emails delivering malicious attachments; “Most of the known attacks involving HijackLoader began with phishing emails.” and a notable instance where attackers posed as guests requesting staff to download a file containing allergy information. – [‘Most of the known attacks involving HijackLoader began with phishing emails.’]
  • [T1059.003] Command and Scripting Interpreter – Uses the CMD utility to stay under the radar; “the loader leveraged the CMD utility to stay under the radar.”
  • [T1105] Ingress Tool Transfer – Downloads and executes subsequent payloads (Phonk) that in turn downloads the miner; “which downloads and runs the Phonk which downloads the miner.”
  • [T1518.001] Software Discovery – AVDATA identifies security software installed on the system and adjusts operation accordingly; “AVDATA module is designed specifically for the purpose of identifying security software installed on the system and adjusting its operation…”
  • [T1027] Obfuscated/Compressed Files and Information – Dynamic API loading via a custom hashing method to hinder reverse engineering; “dynamic API loading via a custom hashing method.” –
  • [T1562.001] Impair Defenses – Evasion capabilities to bypass mainstream security solutions; “strong evasion capabilities, allowing it to bypass mainstream security solutions.”

Indicators of Compromise

  • [IOC Type] None identified – No explicit IOCs (IPs, file hashes, domains, or file names) are mentioned in the article

Read more: https://any.run/malware-trends/hijackloader