HijackLoader Malware Adopts New Evasion Techniques

In an increasingly precarious cybersecurity landscape, the insidious HijackLoader malware has expanded its arsenal, employing cutting-edge defense evasion techniques. This progressive cybersecurity threat has been observed by researchers, utilizing a stealthy combination of standard process hollowing technology and an unusual activation trigger linked to the parent process writing to a pipe. Unveiled first by CrowdStrike in their analysis, these enhanced deception capabilities aim to further shield HijackLoader from traditional security countermeasures.

Originally identified in September 2023 by Zscaler ThreatLabz, HijackLoader quickly gained notoriety for aiding in the delivery of additional payloads and tools. Notably, it has been used as a conduit for the release of the DanaBot, SystemBC and RedLine Stealer. Furthermore, the malware bears striking resemblance to another loader, onward referred to as IDAT Loader, both of which are operated by the same ill-famed cybercrime group.

However, the burgeoning threat pivots from its predecessor with its pioneering practices. By engaging complicated techniques such as process doppelgänging and process hollowing, the sophisticated malware manages to evade analysis and detection, injecting shellcodes via Heaven’s Gate, a notorious technique known for executing 64-bit code in 32-bit processes.

Emanating from initial chains of “streaming_client.exe,” HijackLoader communicates with remote servers to download configurations. It also undertakes rigorous internet connection testing. After successfully passing these preliminary hurdles, modified tools are loaded onto the exploited system, perfectly setting the stage for the next phase of the cyber-attack: the execution of the malware’s primary payload using process doppelgänging and process hollowing.

Stepping up its evasive maneuvers, HijackLoader employs transacted hollowing—a process injection method previously seen in malware like Osiris banking trojan, a highly contagious strain causing ripples in the cybersecurity community. This technique, when utilized concurrently with the malware’s process doppelgänging capabilities, makes HijackLoader more elusive, thereby presenting formidable challenges for threat researchers.

Spearheading the relentless borderline war against cyber threats, researchers at CrowdStrike and Yoroi are evolving their tools and strategies in parallel, leveraging machine learning and behavior-based detection capabilities to thwart stealthy operations like HijackLoader. Recognizing the advent of fileless malware and sketching a thorough map of HijackLoader strategies can be instrumental in resisting this burgeoning cybersecurity menace.

As the HijackLoader continues to evolve, its innovative evasion tactics and covert operation methods are an echoing reminder of the pressing need for developed defenses against such intricate threats. Innovation in defense strategies must parallel the ceaseless sophistication of cybersecurity threats—owing to the consistent dynamism and resilience exhibited by these elusive malwares, perpetual vigilance and innovation remain the modus operandi for combating these imminent cyber threats.