A new malware campaign involves using BPL sideloading and deceptive techniques to distribute the IDAT Loader (also known as HijackLoader) malware. Discovered by Kroll’s incident response and Cyber Threat Intelligence teams, the campaign uses a series of layered obfuscations, starting with a Bollywood pirate movie download site. This site directs users to a page on the Bunny content delivery platform, leading to a ZIP file that contains another password-protected ZIP file, a text file with the password, a decoy video file, and an LNK file.
The LNK file, when executed via mshta.exe, initially appears to be a PGP Secret Key but is actually a mixture of junk bytes, HTA code, and an embedded EXE file. The HTA code within the LNK file triggers the download of two additional ZIP files, K1.zip and K2.zip. The K2 archive includes a renamed legitimate executable, while K1.zip contains the critical malicious component, a BPL file with embedded malware.
The use of BPL sideloading, which involves injecting malicious code into a Borland Package Library file, allows the malware to run within a trusted executable environment. This method helps the malware evade detection by bypassing standard DLL detection rules. The strategy involves using two separate ZIP archives, adding another layer of complexity and making it harder to detect malicious activity by analyzing each ZIP file individually.
Kroll has recommended that organizations implement detection rules to monitor abnormal mshta.exe behavior and consider blocking or removing mshta.exe altogether. The company has also shared indicators of compromise to aid in identifying and mitigating this sophisticated attack method.
Reference:
