Threat Research

Technical Analysis of HijackLoader

ZScaler

HijackLoader is a modular Windows loader that either contains or downloads an encrypted payload, decrypts and decompresses it (XOR + LZNT1), then uses embedded modules to inject and execute final malware families such as Danabot, SystemBC, and RedLine Stealer. It employs evasion and persistence techniques including custom API hashing, direct syscalls, a process-name blocklist that alters behavior, Heaven’s Gate, DLL hijacking, BITS jobs, and Startup LNK persistence. #HijackLoader #Danabot #SystemBC #RedLine

Keypoints

  • HijackLoader is a modular loader observed since July 2023 that delivers multiple payload families (Danabot, SystemBC, RedLine Stealer).
  • Initial stage parses an encrypted configuration (XOR/ADD) containing API hashes, module hashes, payload markers, URLs, XOR keys and a process-name blocklist.
  • Second stage locates encrypted blobs (markers + sizes), concatenates and XOR-decrypts them, then decompresses the result with LZNT1 to obtain modules and shellcode.
  • The loader patches a legitimate DLL (e.g., mshtml.dll), copies the next-stage module (ti) into its code section, and executes it to perform code injection of the main instrumentation shellcode.
  • Multiple injection methods exist (process creation + injection, adding PE section to stubs, DLL entry execution, .NET msbuild injection) chosen via a configuration flag.
  • Anti-analysis and evasion include custom API hashing, use of syscalls, Heaven’s Gate, process blocklists (AVDATA/AV blocklists) that alter behavior, and delayed/timed writes to evade detection.
  • Persistence options include creating BITS jobs and placing LNK shortcuts in Startup; final payload decryption uses an XOR keyed by the first 200 bytes and shellcode handles relocation/parsing before execution.

MITRE Techniques

  • [T1055] Process Injection – Injects and executes shellcode/modules into created or existing processes; article states ‘Performs code injection for other stages and modules.’
  • [T1574.001] DLL Search Order Hijacking – Uses extra files for DLL hijacking and writes DLLs/stubs to disk for hijacked execution; article notes ‘HijackLoader might include an additional set of files, which can be used for DLL hijacking.’
  • [T1547.001] Boot or Logon Autostart Execution (Startup Folder) – Adds persistence by writing LNK shortcut files to Startup and saving executables to %AppData%; article: ‘Adds persistence by creating a shortcut (LNK) file and saving the current executable under a random filename in the Windows folder %AppData%.’
  • [T1197] BITS Jobs – Establishes persistence by creating BITS jobs that point to the malicious executable; article: ‘Creation of a BITS job, which points to the executable file.’
  • [T1218] Signed Binary Proxy Execution / Heavens Gate usage – Uses Heaven’s Gate technique and 32/64-bit execution tricks to evade analysis; article: ‘The developers have included the Heaven’s gate technique.’

Indicators of Compromise

  • [File hashes] Host sample SHA256s – 7bd39678ac3452bf55359b44c5192b79412ce61a82cd72eef88f91aba5792ee6, 6b1621bded06b082f83c731319c9deb2fdf751a4cec1d1b2b00ab9e75f4c29ca, and 3 more hashes.
  • [URLs / Domains] Payload download URLs – hxxps://www.4sync[.]com/web/directDownload/KFtZys (Danabot payload), hxxps://geupdate-service[.]bond/img/3344379399.png (RedLine payload).
  • [Process names] Process blocklist examples – avastsvc.exe, ekrn.exe (AVDATA/AV blocklists used to change behavior), and many other AV process names listed.
  • [File names / DLLs] Targeted or written files – mshtml.dll (DLL used as patch/hijack target), FIXED module executable written for injection.

HijackLoader initializes by running a hooked CRT entry point and locating an encrypted configuration using hardcoded offsets. That configuration (decrypted via XOR or ADD) contains API hashes, module hashes/offsets, markers and XOR keys for encrypted blobs, a payload URL (optionally), a signature for validating downloads, a seed for username-derived filenames, and a process-name blocklist that influences runtime behavior. During initialization it performs connectivity checks, delays, dynamic API resolution (via hashed names), and checks for specific processes to alter flow (skip connectivity tests or delay execution).

The second stage locates encrypted payload blobs (each with a marker and size), concatenates and XOR-decrypts them using the XOR key found after the first blob, then decompresses the result with LZNT1. The decrypted payload contains a modules table and either shellcode or DLLs; HijackLoader searches the modules table for the CRC32 of the next-stage module (ti/ti64), loads a legitimate DLL (e.g., mshtml.dll), copies the ti module into the DLL’s code section, and executes it to deploy the main instrumentation shellcode. The loader supports multiple execution/injection methods selected by flags: direct DLL entry execution, creating a process (often using a written “FIXED” legitimate executable) and injecting rshell/ESWR modules, writing patched stubs (delaying the MZ write to evade detection), or creating msbuild processes for .NET payloads; injected data is sometimes randomized and timing-delayed to avoid detection.

The AVDATA/ti modules implement anti-analysis and persistence: process blocklists change behavior (e.g., create LNK shortcuts in Startup, write a legitimate FIXED executable for later injection, create BITS jobs), and evasion includes custom API hashing, using syscalls, Heaven’s Gate transitions, and timed writes. Final embedded payloads are decrypted by XOR using the first 200 bytes as the key material (enc_data = data[200:], key = data[:200], then 4-byte XOR), then relocated/parsed by shellcode and executed according to the configured injection method.

Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader