A new variant of the HijackLoader malware leverages advanced evasion techniques that enhance the malware’s persistence and longevity within system.
In a blog post Feb. 7, CrowdStrike reported that the malware developer used a standard process hollowing technique combined with an additional trigger that has the potential to make defense evasion much stealthier.
“HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities,” wrote the CrowdStrike researchers.
As security teams and technology becomes more adept at identifying and mitigating known threats, malware creators respond with increasingly sophisticated techniques designed to make it more difficult to recognize patterns, explained Patrick Tiquet, vice president, security and architecture at Keeper Security.
“What’s novel about HijackLoader is that it takes several baby steps of seemingly normal, benign actions before assembling itself into a fully functional piece of malware,” explained Tiquet. “This slow build lets it successfully avoid detection by standard, signature-based antivirus products. By staying undetected for longer periods, malicious actors can carry out prolonged campaigns, potentially causing more damage and compromising sensitive data.”
Mohammad Shabbir, threat researcher at the Qualys Threat Research Unit, said the Qualys team has been monitoring the loader closely since last year, and what’s fascinating is that the actors behind it are following development and evolution lifecycles for commercial products very closely.
“It’s almost as if they have an experienced product manager at the helm,” said Shabbir. “Not a quarter goes by without a new evasion technique being introduced to HijackLoader. They are definitely attempting to stay ahead of endpoint detection and response (EDR) and antivirus products with every new line of code being introduced. It’s no wonder that known malware families are gravitating to it for distribution.”
Zscaler first reported on HijackLoader in a blog post last September. At the time, Zscaler researchers said HijackLoader was used to load different malware families, such as Danabot, SystemBC, and RedLine Stealer. They also said HijackLoader uses "syscalls" to evade monitoring from security products, detects specific processes based on an embedded blocklist, and delays code execution.
