Pierluigi Paganini September 11, 2023

Zscaler ThreatLabz detailed a new malware loader, named HijackLoader, which has grown in popularity over the past few months

HijackLoader is a loader that is gaining popularity among the cybercriminal community. The malware is not sophisticated, however, unlike other loaders, it has a modular structure that allows supporting code injection and execution. The HijackLoader is being used to load different malware families such as Danabot, SystemBC and RedLine Stealer.

The loader was first observed by the security firm July 2023, the researchers noticed that the threat employs a number of evasion techniques such as the use of syscalls.

“HijackLoader utilizes syscalls to evade monitoring from security solutions, detects specific processes based on an embedded blocklist, and delays code execution at different stages.” reads the report published by Zscaler. “The malware uses embedded modules that facilitate flexible code injection and execution – a feature uncommon among traditional loaders.”

The experts have yet to determine the initial access vector, upon execution, HijackLoader executes a modified (hooked) function of the Windows C Runtime (CRT), which points to the entry point of the first stage.

The loader determines if the final payload has been embedded in the binary or if it has to download it from an external server.

The malware maintains persistence by creating a shortcut file (LNK) in the Windows Startup folder and pointing it to a Background Intelligent Transfer Service (BITS) job that points to the executable file.

The Anti-Analysis features implemented in the first stage include the following set of evasion techniques:

• Dynamic loading of Windows API functions by leveraging a custom API hashing technique.
• Performing an HTTP connectivity test to a legitimate website (e.g. mozilla.org). If a connection cannot be made, then HijackLoader does not proceed with the execution and enters an infinite loop until a connection is made.
• Delaying of code execution at different stages.
• The first stager checks for the presence of a set of running processes. Depending on which ones are present, it executes different functionality. In Table 1, we summarize the corresponding functionality for each process.

Zscaler concludes that despite the poor quality of the code, the increasing popularity of HijackLoader can bring future improvements and further usage from more threat actors.

“In summary, HijackLoader is a modular loader with evasion techniques, which provides a variety of loading options for malicious payloads. Moreover, it does not have any advanced features and the quality of the code is poor.” concludes the report. “However, considering the increasing popularity of HijackLoader, we expect code improvements and further usage from more threat actors, especially to fill the void left by Emotet and Qakbot.”

Zscaler also published Indicators of Compromise (IOCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)