Security researchers at Zscaler ThreatLabz have identified a growing threat in the form of a new malware loader known as HijackLoader. This loader has gained traction among cybercriminals over the past few months due to its modular structure, which enables code injection and execution support.
While not considered sophisticated, HijackLoader exhibits evasion techniques like syscalls to avoid detection by security solutions, process detection based on a blocklist, and code execution delays at different stages. It has been observed loading various malware families such as Danabot, SystemBC, and RedLine Stealer.
First spotted in July 2023, HijackLoader employs an array of anti-analysis features in its initial stage, including dynamic loading of WindowsI functions via custom API hashing and conducting an HTTP connectivity test to a legitimate website like mozilla.org before proceeding with execution.
The loader also maintains persistence by creating a shortcut file (LNK) in the Windows Startup folder, pointing it to a Background Intelligent Transfer Service (BITS) job that leads to the executable file.
Despite its unrefined code quality, the rising popularity of HijackLoader suggests potential future improvements and increased usage by various threat actors. Zscaler has shared Indicators of Compromise (IOCs) for HijackLoader, emphasizing its modular nature and evasion tactics, which make it a notable threat in the evolving landscape of malware loaders.
