New Hijack Loader Attack Windows with Enhanced Anti-Evasion Capabilities

Security researchers from ANY.RUN have identified a new version of the Hijack Loader malware, which now boasts updated anti-evasion techniques. This development marks a significant evolution in the malware’s ability to avoid detection and enhance its stealth operations.

Hijack Loader, also known as IDAT Loader, first appeared in September 2023 and has since gained significant traction. It is currently ranked as the sixth most detected malware in the ANY.RUN Trends Tracker, based on public sandbox submissions.

The latest iteration of Hijack Loader decrypts and parses a PNG image to load its second-stage payload. This second stage features a modular architecture aimed at injecting the main instrumentation module.

Start analyzing suspicious files and links right away. Sign up for a free ANY.RUN account now!

To improve its stealth capabilities, the malware employs several sophisticated techniques:

  • Avoids Inline API Hooking: This common detection method is now bypassed by security software.
  • Windows Defender Exclusion: The malware adds an exclusion for Windows Defender antivirus.
  • User Account Control (UAC) Bypass: It successfully bypasses UAC.
  • Process Hollowing: This technique is used to inject malicious code into legitimate processes.

In March and April 2024, security researchers identified seven new modules associated with this malware.

Detection and Analysis

ANY.RUN sandbox can detect Hijack Loader using YARA rules. The platform provides detailed analysis sessions, showcasing the malware’s behaviour.

For instance, in a recent analysis, the second-stage payload did not download because the Command and Control (C2) server was inactive.

Common Payloads Delivered by Hijack Loader:

  • Amadey
  • Lumma Stealer
  • Meta Stealer
  • Raccoon Stealer V2
  • Remcos RAT
  • Rhadamanthys

Latest Indicators of Compromise (IOCs)

Researchers have collected the latest IOCs for Hijack Loader from the Malware Trends Tracker. These artifacts are dynamically updated with new public analysis sessions on ANY.RUN.

IPs:

  • 185.215.113.67
  • 193.233.132.139
  • 185.172.128.76

Hashes:

  • 86BCCBACD8E9FDE23FF236155EE47F866DD7DD51C6129ED340034810A10705B3
  • 0AE58BE8D7058E40926FDB51B76043D109B96B91AA9FA2950DBB8A3626185E0F
  • A38DA72082FC2DC1F60B3B245E1F2382D5F8C1D08EBC397DD0D81CC9F74EBBE6

URLs:

  • mail.zoomfilms-cz[.]com
  • discussiowardder[.]website
  • wxt82[.]xyz

About ANY.RUN

ANY.RUN is a leading interactive sandbox platform used by over 400,000 cybersecurity professionals worldwide. It simplifies malware analysis for threats targeting both Windows and Linux systems. The platform’s threat intelligence products, including TI Lookup, Yara Search, and Feeds, help users find IOCs or files to better understand threats and respond to incidents more efficiently.

Advantages of ANY.RUN

  • Rapid Detection: Detects malware within approximately 40 seconds of file upload using YARA and Suricata rules.
  • Real-Time Interaction: Allows users to interact with samples in real-time, simulating a real system environment.
  • Cost-Effective: Eliminates the need for setup or maintenance, saving time and money.
  • Comprehensive Analysis: Provides detailed insights into malware behavior, including network traffic, system calls, and file system changes.
  • Team Collaboration: Facilitates easy sharing of analysis results and enables senior analysts to review junior analysts’ work.
  • Scalability: As a cloud service, it allows for easy scaling by adding more licenses.

Get 6 Months of ANY.RUN Malware Sandbox Paid Plans for Free before May 31st - Register Here

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.