HijackLoader

The deployment of HijackLoader by threat actors has become increasingly prevalent due to its efficacy in injecting malicious code into legitimate processes, facilitating the discreet execution of payloads. This technique allows them to avoid detection by utilizing trusted applications for unsafe activities, creating a more challenging environment for security measures to identify and counter the threat effectively. Observations by researchers reveal instances of HijackLoader (also known as IDAT Loader) employing sophisticated techniques to elude detection.

HijackLoader Exhibits Evolved Threatening Capabilities

Researchers have identified the evolution of HijackLoader, incorporating new defense evasion techniques such as process hollowing, pipe-triggered activation, and a combination of process doppelganging. These enhancements enhance its stealthiness and complexity, making analyzing more challenging. Additionally, the malware employs extra unhooking techniques, further contributing to its evasive capabilities.

The sophisticated HijackLoader initiates its operations through streaming_client.exe, which obfuscates a configuration to thwart static analysis. Utilizing WinHTTP APIs, it tests Internet connectivity by reaching out to https://nginx.org. Upon successful connection, it retrieves a second-stage configuration from a remote server.

Once equipped with the second-stage config, the malware scans for PNG header bytes and a specific magic value. Subsequently, it decrypts the information using XOR and decompresses it through the RtlDecompressBuffer API. The next step involves loading a legitimate Windows DLL specified in the configuration, writing the shellcode to its .text section for execution. It employs Heaven's Gate to circumvent user mode hooks and injects additional shellcodes into cmd.exe. The third-stage shellcode injects a final payload, like a Cobalt Strike beacon, into logagent.exe using process hollowing.

HijackLoader employs various evasion strategies, including Heaven’s Gate hook bypass and unhooking DLLs monitored by security tools. It utilizes process hollowing variations and transacted hollowing for injection, combining transacted section and process doppelgänging with DLL hollowing to evade detection further.

HijackLoader is Equipped with Multiple Anti-detection Techniques

The primary evasion techniques employed by HijackLoader and Shellcode include:

• Hook Bypass:
• Heaven’s Gate
• Unhooking
•  Process Hollowing Variation
•  Interactive Process Hollowing Variation:
• Tradecraft Analysis
•  Transacted Hollowing (Transacted Section/Doppelgänger + Hollowing)
•  Transacted Section Hollowing
•  Process Hollowing

The utilization of HijackLoader underscores the critical importance of proactive cybersecurity measures to identify and prevent such surreptitious attacks.

Organizations should place emphasis on routine security audits, implement robust endpoint protection, and stay informed about emerging threats to defend against the evolving tactics employed by ill-minded actors effectively.

In addition to these measures, user education and awareness training play a crucial role in mitigating the associated risks of these sophisticated attack vectors.