Threat Research

HijackLoader Updates

ZScaler

HijackLoader is a modular malware loader that decrypts and parses PNG images to load second-stage payloads, delivering families such as Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT. ThreatLabz reports updated evasion techniques, including UAC bypass, Defender exclusions, anti-hooking, and process hollowing, to improve stealth and persistence. #HijackLoader #Amadey #LummaStealer #RacoonStealer #Remcos #ThreatLabz

Keypoints

  • HijackLoader is a modular malware loader that is used to deliver second stage payloads including Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT.
  • HijackLoader decrypts and parses a PNG image to load the next stage.
  • HijackLoader now contains the following new modules: modCreateProcess, modCreateProcess64, WDDATA, modUAC, modUAC64, modWriteFile, and modWriteFile64.
  • HijackLoader has additional features like dynamic API resolution, blocklist process checking, and user mode hook evasion using Heaven’s Gate.
  • ThreatLabz researchers created a Python script to decrypt and decompress the second stage and extract all HijackLoader modules.
  • The malware uses embedded or downloaded PNG payloads, XOR decryption, and LZNT1 decompression to load the second stage and inject modules.

MITRE Techniques

  • [T1027.007] Dynamic API Resolution – The loader resolves APIs dynamically by walking the PEB and parsing the PE header. ‘The loader uses the SDBM hashing algorithm below to resolve APIs.’
  • [T1548.001] Abuse Elevation Control Mechanism – The loader bypasses UAC using the CMSTPLUA COM interface. ‘This module is used to bypass UAC using the CMSTPLUA COM interface.’
  • [T1140] Deobfuscate/Decode Files or Information – The PNG payload is decrypted and loaded after a series of checks. ‘HijackLoader decrypts embedded shellcode by performing a simple addition operation with a key.’
  • [T1055] Process Injection – The main instrumentation module is injected into a target process via process hollowing. ‘the main instrumentation module is injected using process hollowing.’
  • [T1620] Reflective Code Loading – The loader copies itself into memory and loads stages from memory. ‘The malware loads a copy of itself into memory using GlobalAlloc and ReadFile.’
  • [T1562.001] Impair Defenses: Disable or Modify Tools – WDDATA contains data to add a Windows Defender Antivirus exclusion. ‘This module contains a PowerShell command to add a Windows Defender Antivirus exclusion.’
  • [T1057] Process Discovery – The loader checks for blocklisted processes and uses system information APIs to decide on execution. ‘The shellcode uses the RtlGetNativeSystemInfo API to check for blocklisted processes running on the system.’

Indicators of Compromise

  • [SHA256] Host indicators – 7a8db5d75ca30164236d2474a4719046a7814a4411cf703ffb702bf6319939d7, d95e82392d720911f7eb5d8856b8ccd2427e51645975cdf8081560c2f6967ffb – HijackLoader-related hashes (and 8 more hashes)
  • [URL] Network indicators – hxxp://discussiowardder[.]website/api – LummaStealer C2

Read more: https://www.zscaler.com/blogs/security-research/hijackloader-updates

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint