HijackLoader Reloaded: Malware Evolves for Stealth
Recently, cybersecurity experts have detected a new version of HijackLoader malware, now featuring enhanced methods to thwart analysis. This upgrade enables the malware to remain undetected within compromised networks for extended periods.
Researchers at Zscaler, in their technical report, noted that the new functionalities are designed to increase the stealthiness of the malware. HijackLoader, also known as IDAT Loader, now can add exceptions for Windows Defender, circumvent User Account Control (UAC), evade API hooks commonly used by antivirus programs for detection, and employ the “Process Hollowing” technique.
First identified in September 2023, HijackLoader has been used to disseminate various families of malware, including Amadey, Lumma Stealer, Meta Stealer, Racoon Stealer V2, Remcos RAT, and Rhadamanthys.
Particularly noteworthy is the latest version of the loader, which utilizes a method of decrypting and analyzing PNG images to load the subsequent stages of malware. This technique was first detailed by Morphisec in a campaign targeting entities in Finland.
The initial stage of the loader is responsible for extracting and executing the second stage from a PNG image, which may be embedded within it or downloaded separately, depending on the malware configuration. To further enhance concealment, the second stage employs additional counter-analysis techniques using several different modules.
Another feature of recent malware versions is the use of the “Heaven’s Gate” technique to bypass user mode blocks, as reported by CrowdStrike in February 2024.
Amadey remains the most prevalent family of malware delivered via HijackLoader. New modules integrated into the loader enhance its capabilities and make it more resistant to detection.
Lately, there has also been a rise in the distribution of other malware families through advertising and phishing, including DarkGate, FakeBat, and GuLoader, as well as the emergence of TesseractStealer, which employs optical character recognition to extract text from images.
