Hijack Loader Malware
Overview
Hijack Loader, also known as IDAT Loader, has evolved with enhanced evasion techniques aimed at increasing its stealth and persistence within infected systems. Recent variants demonstrate advanced tactics such as process hollowing and User Account Control (UAC) bypass.
Technical Details
The malware initiates an attack by deploying a first-stage loader, which then executes a more complex second-stage involving process hollowing. This is achieved by injecting malicious shellcode into legitimate Windows processes via an evolved form of process hollowing triggered by specific actions like writing to a pipe. This makes detection more challenging for conventional antivirus solutions (CrowdStrike) (SC Media) (RedPacket Security).
Evasion Techniques
Hijack Loader employs a multi-stage injection process, using advanced techniques such as Heaven's Gate to bypass user-mode hooks. Additionally, it utilizes process doppelgänging combined with transacted hollowing to further obscure its activities from detection tools (CrowdStrike) (RedPacket Security) (Rivitmedia).
Payload Delivery and Execution
The malware is capable of loading multiple types of payloads. It executes these payloads by first testing for internet connectivity, then retrieving and decrypting configuration data to load and execute the final malicious code (WinBuzzer) (RedPacket Security).
Mitigation and Prevention
Organizations are advised to implement robust endpoint protection solutions that can detect and mitigate advanced malware techniques. Regular updates to security software and operating systems are crucial. Additionally, security awareness training for employees can help prevent initial compromise through phishing or other common vectors (Rivitmedia).
Indicators of Compromise (IoCs)
SHA256 Hashes
7a8db5d75ca30164236d2474a4719046a7814a4411cf703ffb702bf6319939d7
d95e82392d720911f7eb5d8856b8ccd2427e51645975cdf8081560c2f6967ffb'
fcadcee5388fa2e6d4061c7621bf268cb3d156cb879314fa2f518d15f5fa2aa2
f37b158b3b3c6ef9f6fe08d0056915fc7e5a220d1dabb6a2b62364ae54dca0f1
e0a4f1c878f20e70143b358ddaa28242bac56be709b5702f3ad656341c54fb76
cf42af2bdcec387df84ba7f8467bbcdad9719df2c524b6c9b7fffa55cfdc8844
c215c0838b1f8081a11ff3050d12fcfe67f14442ed2e18398f0c26c47931df44
9b15cb2782f953090caf76efe974c4ef8a5f28df3dbb3eff135d44306d80c29c
56fd2541a36680249ec670d07a5682d2ef5a343d1feccbcf2c3da86bd546af85
1fbf01b3cb97fda61a065891f03dca7ed9187a4c1d0e8c5f24ef0001884a54da
URLs
hxxp://discussiowardder[.]website/api
Sources
HijackLoader Updates (Zscaler)
Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version (The Hacking News)
Conclusion
The continuous evolution of Hijack Loader underscores the need for advanced, layered security measures in organizational environments. Its ability to remain undetected and deploy various payloads makes it a significant threat to cybersecurity.