Cybersecurity researchers have found an up to date model of a malware loader referred to as Hijack Loader that implements new options to evade detection and set up persistence on compromised methods.
“Hijack Loader launched a brand new module that implements name stack spoofing to cover the origin of operate calls (e.g., API and system calls),” Zscaler ThreatLabz researcher Muhammed Irfan V A stated in an evaluation. “Hijack Loader added a brand new module to carry out anti-VM checks to detect malware evaluation environments and sandboxes.”
Hijack Loader, first found in 2023, presents the flexibility to ship second-stage payloads similar to data stealer malware. It additionally comes with quite a lot of modules to bypass safety software program and inject malicious code. Hijack Loader is tracked by the broader cybersecurity neighborhood beneath the names DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER.
In October 2024, HarfangLab and Elastic Safety Labs detailed Hijack Loader campaigns that leveraged legit code-signing certificates in addition to the notorious ClickFix technique for distributing the malware.
The most recent iteration of the loader comes with various enhancements over its predecessor, probably the most notable being the addition of name stack spoofing as an evasion tactic to hide the origin of API and system calls, a way not too long ago additionally embraced by one other malware loader referred to as CoffeeLoader.
“This system makes use of a sequence of EBP tips to traverse the stack and conceal the presence of a malicious name within the stack by changing precise stack frames with fabricated ones,” Zscaler stated.
As with earlier variations, the Hijack Loader leverages the Heaven’s Gate approach to execute 64-bit direct syscalls for course of injection. Different modifications embody a revision to the checklist of blocklisted processes to incorporate “avastsvc.exe,” a part of Avast Antivirus, to delay execution by 5 seconds.
The malware additionally incorporates two new modules, specifically ANTIVM for detecting digital machines and modTask for establishing persistence by way of scheduled duties.
The findings present that Hijack Loader continues to be actively maintained by its operators with an intent to complicate evaluation and detection.
SHELBY Malware Makes use of GitHub for Command-and-Management
The event comes as Elastic Safety Labs detailed a brand new malware household dubbed SHELBY that makes use of GitHub for command-and-control (C2), information exfiltration, and distant management. The exercise is being tracked as REF8685.
The assault chain entails using a phishing e mail as a place to begin to distribute a ZIP archive containing a .NET binary that is used to execute a DLL loader tracked as SHELBYLOADER (“HTTPService.dll”) by way of DLL side-loading. The e-mail messages had been delivered to an Iraq-based telecommunications agency by a extremely focused phishing e mail despatched from inside the focused group.
The loader subsequently initiates communications with GitHub for C2 to extract a selected 48-byte worth from a file named “License.txt” within the attackers-controlled repository. The worth is then used to generate an AES decryption key and decipher the principle backdoor payload (“HTTPApi.dll”) and cargo it into reminiscence with out leaving detectable artifacts on disk.
“SHELBYLOADER makes use of sandbox detection strategies to establish virtualized or monitored environments,” Elastic stated. “As soon as executed, it sends the outcomes again to C2. These outcomes are packaged as log recordsdata, detailing whether or not every detection methodology efficiently recognized a sandbox surroundings.”
The SHELBYC2 backdoor, for its half, parses instructions listed in one other file named “Command.txt” to obtain/add recordsdata from/to a GitHub repository, load a .NET binary reflectively, and run PowerShell instructions. What’s notable right here is the C2 communication happens by commits to the personal repository by making use of a Private Entry Token (PAT).
“The way in which the malware is about up implies that anybody with the PAT (Private Entry Token) can theoretically fetch instructions despatched by the attacker and entry command outputs from any sufferer machine,” the corporate stated. “It is because the PAT token is embedded within the binary and can be utilized by anybody who obtains it.”
Emmenhtal Spreads SmokeLoader by way of 7-Zip Recordsdata
Phishing emails bearing payment-themed lures have additionally been noticed delivering a malware loader household codenamed Emmenhtal loader (aka PEAKLIGHT), which acts as a conduit to deploy one other malware referred to as SmokeLoader.
“One notable approach noticed on this SmokeLoader pattern is using .NET Reactor, a business .NET safety device used for obfuscation and packing,” GDATA stated.
“Whereas SmokeLoader has traditionally leveraged packers like Themida, Enigma Protector, and customized crypters, using .NET Reactor aligns with traits seen in different malware households, notably stealers and loaders, attributable to its robust anti-analysis mechanisms.”