HijackLoader is a loader that is gaining popularity among the cybercriminal community. The malware is not sophisticated, however, unlike other loaders, it has a modular structure that allows supporting code injection and execution. The HijackLoader is being used to load different malware families such as Danabot, SystemBC and RedLine Stealer.
The loader was first observed by the security firm July 2023, the researchers noticed that the threat employs a number of evasion techniques such as the use of syscalls.
“HijackLoader utilizes syscalls to evade monitoring from security solutions, detects specific processes based on an embedded blocklist, and delays code execution at different stages.” reads the report published by Zscaler. “The malware uses embedded modules that facilitate flexible code injection and execution – a feature uncommon among traditional loaders.”
The experts have yet to determine the initial access vector, upon execution, HijackLoader executes a modified (hooked) function of the Windows C Runtime (CRT), which points to the entry point of the first stage.
The loader determines if the final payload has been embedded in the binary or if it has to download it from an external server.
The malware maintains persistence by creating a shortcut file (LNK) in the Windows Startup folder and pointing it to a Background Intelligent Transfer Service (BITS) job that points to the executable file.
The Anti-Analysis features implemented in the first stage include the following set of evasion techniques:
Zscaler concludes that despite the poor quality of the code, the increasing popularity of HijackLoader can bring future improvements and further usage from more threat actors.
“In summary, HijackLoader is a modular loader with evasion techniques, which provides a variety of loading options for malicious payloads. Moreover, it does not have any advanced features and the quality of the code is poor.” concludes the report. “However, considering the increasing popularity of HijackLoader, we expect code improvements and further usage from more threat actors, especially to fill the void left by Emotet and Qakbot.”
(SecurityAffairs – hacking, malware)