There’s a new Hijack Loader variant with enhanced anti-evasion capabilities detected in the wild. It decrypts a PNG to load its second-stage payload and uses process hollowing along with Defender exclusions and UAC bypass to evade detection. #HijackLoader #IDATLoader #processhollowing #WindowsDefender #UAC #ANYRUN #YARA
Keypoints
- A new Hijack Loader variant with updated anti-evasion capabilities has been observed in 2024.
- The second stage decrypts and parses a PNG image to load its payload, enabling a modular architecture.
- The primary goal of the second stage is injection of the main instrumentation module.
- Anti-evasion measures include avoiding inline API hooking, adding a Windows Defender exclusion, and bypassing UAC.
- Seven new modules were spotted in March and April 2024, indicating rapid expansion of capabilities.
- Hijack Loader (aka IDAT Loader) appeared in Sept 2023 and is now widely used, ranking 6th in ANY.RUN Trends Tracker.
- Latest IOCs (IP addresses, file hashes, and URLs) are publicly reported and update via ANY.RUN analyses.
MITRE Techniques
- [T1055.012] Process Hollowing – “Uses process hollowing.”
- [T1140] Deobfuscate/Decode Files or Information – “decrypts and parses a PNG image to load its second stage payload.”
- [T1562.001] Impair Defenses – “adds an exclusion for Windows Defender antivirus.”
- [T1548.002] Bypass User Account Control – “Bypasses User Account Control (UAC).”
Indicators of Compromise
- [IPs] Hijack Loader IOCs – 185.215.113.67, 193.233.132.139, and 185.172.128.76
- [Hashes] Hijack Loader IOCs – 86BCCBACD8E9FDE23FF236155EE47F866DD7DD51C6129ED340034810A10705B3, 0AE58BE8D7058E40926FDB51B76043D109B96B91AA9FA2950DBB8A3626185E0F, A38DA72082FC2DC1F60B3B245E1F2382D5F8C1D08EBC397DD0D81CC9F74EBBE6
- [URLs] Hijack Loader IOCs – mail.zoomfilms-cz[.]com, discussiowardder[.]website, wxt82[.]xyz
Read more: https://any.run/cybersecurity-blog/new-hijackloader-version/