Malware on the Move: HijackLoader Learns New Tricks to Evade Detection
CrowdStrike has unveiled that the architects behind the HijackLoader loader have integrated novel evasion tactics, as this malicious software increasingly becomes a tool of choice for cybercriminals to deploy additional payloads and tools.
The developer has employed a conventional process substitution technique in tandem with an extra trigger activated by the parent process writing into a channel. This strategy might render evasion more inconspicuous.
A second technique features a unique combination of Process Doppelgänging and Process Hollowing methods. The inception of the multi-stage attack chain of the new HijackLoader variant is an executable file (“streaming_client.exe”), which verifies an active internet connection before proceeding to download a second-stage configuration from a remote server.
HijackLoader — infection chain | Image: CrowdStrike
The executable then downloads a legitimate DLL library specified in the configuration to activate the shell code responsible for launching the HijackLoader payload. This occurs through a blend of Process Doppelgänging and Process Hollowing methods, complicating analysis and enhancing HijackLoader’s defensive evasion capabilities.
Subsequently, HijackLoader’s second-stage shell code undertakes actions to disable webhooks using Heaven’s Gate and injects subsequent shell code into cmd.exe. Heaven’s Gate allows malware to bypass endpoint security measures by invoking 64-bit code in 32-bit Windows processes, effectively circumventing user hooks.
A key evasion method for HijackLoader is the Transacted Hollowing process injection mechanism, wherein Windows file system transactions are utilized to load and execute malicious code within another process’s context.
Investing in new evasion capabilities for HijackLoader (IDAT Loader) potentially aims to render it more covert and undetectable by conventional security solutions. These new methods indicate both a deliberate and experimental evolution of existing evasion capabilities, as well as an increase in complexity for threat researchers to analyze.
