Cybersecurity researchers have found an up to date model of a malware loader known as Hijack Loader that implements new options to evade detection and set up persistence on compromised methods.
“Hijack Loader launched a brand new module that implements name stack spoofing to cover the origin of perform calls (e.g., API and system calls),” Zscaler ThreatLabz researcher Muhammed Irfan V A stated in an evaluation. “Hijack Loader added a brand new module to carry out anti-VM checks to detect malware evaluation environments and sandboxes.”
Hijack Loader, first found in 2023, presents the power to ship second-stage payloads resembling data stealer malware. It additionally comes with a wide range of modules to bypass safety software program and inject malicious code. Hijack Loader is tracked by the broader cybersecurity group underneath the names DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER.
In October 2024, HarfangLab and Elastic Safety Labs detailed Hijack Loader campaigns that leveraged reputable code-signing certificates in addition to the notorious ClickFix technique for distributing the malware.
The newest iteration of the loader comes with a lot of enhancements over its predecessor, probably the most notable being the addition of name stack spoofing as an evasion tactic to hide the origin of API and system calls, a technique just lately additionally embraced by one other malware loader often known as CoffeeLoader.
“This method makes use of a sequence of EBP tips that could traverse the stack and conceal the presence of a malicious name within the stack by changing precise stack frames with fabricated ones,” Zscaler stated.
As with earlier variations, the Hijack Loader leverages the Heaven’s Gate method to execute 64-bit direct syscalls for course of injection. Different adjustments embrace a revision to the checklist of blocklisted processes to incorporate “avastsvc.exe,” a part of Avast Antivirus, to delay execution by 5 seconds.
The malware additionally incorporates two new modules, particularly ANTIVM for detecting digital machines and modTask for establishing persistence through scheduled duties.
The findings present that Hijack Loader continues to be actively maintained by its operators with an intent to complicate evaluation and detection.
SHELBY Malware Makes use of GitHub for Command-and-Management
The event comes as Elastic Safety Labs detailed a brand new malware household dubbed SHELBY that makes use of GitHub for command-and-control (C2), knowledge exfiltration, and distant management. The exercise is being tracked as REF8685.
The assault chain includes using a phishing e mail as a place to begin to distribute a ZIP archive containing a .NET binary that is used to execute a DLL loader tracked as SHELBYLOADER (“HTTPService.dll”) through DLL side-loading. The e-mail messages have been delivered to an Iraq-based telecommunications agency by means of a extremely focused phishing e mail despatched from throughout the focused group.
The loader subsequently initiates communications with GitHub for C2 to extract a selected 48-byte worth from a file named “License.txt” within the attackers-controlled repository. The worth is then used to generate an AES decryption key and decipher the primary backdoor payload (“HTTPApi.dll”) and cargo it into reminiscence with out leaving detectable artifacts on disk.
“SHELBYLOADER makes use of sandbox detection strategies to establish virtualized or monitored environments,” Elastic stated. “As soon as executed, it sends the outcomes again to C2. These outcomes are packaged as log recordsdata, detailing whether or not every detection technique efficiently recognized a sandbox surroundings.”
The SHELBYC2 backdoor, for its half, parses instructions listed in one other file named “Command.txt” to obtain/add recordsdata from/to a GitHub repository, load a .NET binary reflectively, and run PowerShell instructions. What’s notable right here is the C2 communication happens by means of commits to the personal repository by making use of a Private Entry Token (PAT).
“The best way the malware is ready up implies that anybody with the PAT (Private Entry Token) can theoretically fetch instructions despatched by the attacker and entry command outputs from any sufferer machine,” the corporate stated. “It’s because the PAT token is embedded within the binary and can be utilized by anybody who obtains it.”
Emmenhtal Spreads SmokeLoader through 7-Zip Information
Phishing emails bearing payment-themed lures have additionally been noticed delivering a malware loader household codenamed Emmenhtal loader (aka PEAKLIGHT), which acts as a conduit to deploy one other malware often known as SmokeLoader.
“One notable method noticed on this SmokeLoader pattern is using .NET Reactor, a business .NET safety instrument used for obfuscation and packing,” GDATA stated.
“Whereas SmokeLoader has traditionally leveraged packers like Themida, Enigma Protector, and customized crypters, using .NET Reactor aligns with developments seen in different malware households, significantly stealers and loaders, resulting from its sturdy anti-analysis mechanisms.”
