HijackLoader | |
Type of Malware | Dropper |
Addittional names | DOILoader, GHOSTPULSE, IDAT Loader, SHADOWLADDER |
Country of Origin | Russia |
Date of initial activity | 2023 |
Associated Groups | APT23, Fancy Bear |
Motivation | To deliver second stage payloads including Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT for financial gain, data theft, or disruption. |
Attack Vectors | It is often distributed through various attack vectors like phishing emails, malicious websites, exploit kits, software bundling, drive-by downloads, and social engineering tactics. In earlier versions of the loader, it was disguised as a 7-zip installer that delivered the SecTop RAT. It has been observed to store its malicious payload in the IDAT chunk of PNG file format. |
Targeted System | Windows |
Overview
HijackLoader (also known as IDAT Loader) is a malware loader first identified in July 2023. It is capable of using various modules for code injection and execution, featuring a modular architecture uncommon among loaders. Initially, the loader was disguised as a 7-zip installer that delivered the SecTop RAT.
HijackLoader employs several evasion techniques, including Process Doppelgänging, DLL Search Order Hijacking, and Heaven’s Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.
ThreatLabz researchers recently analyzed a new HijackLoader sample with updated evasion techniques designed to increase the malware’s stealthiness and remain undetected for longer periods. These enhancements include modules to add an exclusion for Windows Defender Antivirus, bypass User Account Control (UAC), evade inline API hooking commonly used by security software for detection, and employ process hollowing.
In earlier versions of the loader, it was disguised as a 7-zip installer that delivered the SecTop RAT. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.
Targets
HijackLoader targets entities where the potential for financial gain, data theft, or disruption is significant, making it a versatile and dangerous tool for cybercriminals
How they operate
HijackLoader operates with a highly sophisticated strategy aimed at infiltrating systems stealthily while evading detection by security measures. Its modus operandi begins with gaining initial access, often exploiting vulnerabilities in software or systems or employing social engineering tactics. Once executed, HijackLoader establishes persistence on the compromised system by modifying registry keys or adding itself to startup folders. This ensures that it runs automatically whenever the system boots or a user logs in, a tactic classified under MITRE’s technique T1547.001 for boot or logon autostart execution.
To evade detection and maintain its foothold, HijackLoader employs a variety of evasion techniques. It bypasses User Account Control (UAC) prompts by leveraging the CMSTPLUA COM interface, allowing it to execute privileged operations without user intervention (T1548.001). Additionally, the malware includes modules designed to add exclusions for Windows Defender Antivirus, thus preventing detection by security solutions that rely on these mechanisms (T1562.001). HijackLoader also evades detection by security software that uses inline API hooking for monitoring and detection purposes, employing methods to circumvent these hooks dynamically.
The malware’s modular architecture is central to its functionality. HijackLoader loads secondary payloads and functionalities dynamically, enabling it to adapt to different environments and tasks. These payloads include various types of malware such as Trojans like Amadey, information stealers like Lumma Stealer and Racoon Stealer v2, and remote access Trojans (RATs) like Remcos. This versatility allows HijackLoader to perform a wide range of malicious activities, from data theft to remote system control (T1055).
In operation, HijackLoader is adept at stealing sensitive information such as login credentials, financial data, and personal information from compromised systems. This stolen data is exfiltrated to remote servers controlled by threat actors, facilitating further exploitation or monetization. The malware communicates with its command-and-control (C2) server using encrypted channels to receive commands, update configurations, and send out stolen data, ensuring that its activities remain covert and difficult to trace.
To execute its malicious payloads, HijackLoader employs advanced techniques like process injection into legitimate processes such as cmd.exe, utilizing methods like process hollowing to avoid detection (T1055). Reflective DLL injection further enhances its stealth capabilities by loading malicious code and configurations directly into memory, bypassing traditional file-based detection methods (T1620).
Detecting and mitigating HijackLoader requires robust cybersecurity measures capable of identifying its evasion tactics, dynamic API resolutions, and sophisticated methods of payload deployment. Effective defenses include implementing comprehensive endpoint protection solutions, maintaining up-to-date software and system patches, employing network segmentation to limit the malware’s spread, and educating users about phishing and social engineering tactics that could facilitate its initial deployment.
MITRE tactics and techniques
Execution (TA0002)
The malware executes its payload and modules using various techniques, including process hollowing and direct syscall execution.
Boot or Logon Autostart Execution (T1547.001)
HijackLoader ensures persistence by modifying registry keys or startup folders to automatically execute on system boot or user logon.
Abuse Elevation Control Mechanism (T1548.001)
Modules within HijackLoader attempt to bypass User Account Control (UAC) using techniques like COM interface manipulation (CMSTPLUA).
Dynamic API Resolution (T1027.001)
The malware dynamically resolves APIs during execution by parsing Portable Executable (PE) headers and walking the process environment block (PEB).
Deobfuscate/Decode Files or Information (T1140)
HijackLoader decrypts and decompresses its payload, including modules and configuration data, using algorithms like XOR and LZNT1.
Process Injection (T1055)
The malware injects its payload into other processes, such as cmd.exe, using techniques like process hollowing to evade detection.
Reflective Code Loading (T1620)
Modules within HijackLoader load code and configuration data in memory using reflective DLL injection techniques.
Impair Defenses: Disable or Modify Tools (T1562.001)
HijackLoader attempts to disable or bypass security tools like Windows Defender Antivirus by adding exclusions or modifying settings.
Process Discovery (T1057)
The malware enumerates running processes to check for security tools or specific applications that might interfere with its operation.
Significant Malware Campaigns
- Rhe Alpine Security Hunting Team has observed several malware campaigns against various hotel chains in Andorra using HijackLoader as the main weapon of attack. (September 2023)