A new variant of Hijack Loader is evading detection with improved techniques and decrypting a seemingly harmless PNG image to fetch its second-stage payload. The modular second stage injects the main malicious module and utilizes process hollowing to avoid process monitoring.
The malware incorporates anti-evasion tricks like bypassing User Account Control (UAC) and evading inline hooking mechanisms commonly used by security software, which make Hijack Loader stealthier and potentially more difficult to detect by security solutions.
New malware emerged in March and April 2024, exhibiting advanced stealth techniques as it bypasses detection by employing process hollowing, a method to inject malicious code into legitimate processes.
By avoiding inline API hooking, it is also able to circumvent security software and disable Windows Defender through the use of exclusions.
To further its persistence, the malware likely bypasses User Account Control, a layer that restricts unauthorized program execution, which suggests sophisticated malware designed to operate undetected for extended periods.
HijackLoader, a malware loader first detected in September 2023, is gaining traction as a tool for cybercriminals that utilizes embedded modules for flexible code injection and execution, enabling it to deliver various malware payloads like DanaBot and RedLine Stealer.
Common Hijack Loader payloads
- Amadey
- Lumma Stealer
- Meta Stealer
- Raccoon Stealer V2
- Remcos RAT
- Rhadamanthys
It also employs evasion techniques to bypass security solutions, including blacklisting processes and delaying code execution, making HijackLoader a prevalent threat, currently ranking as the 6th most detected malware in the ANY.RUN Trends Tracker.
Never forget to check out our YouTube channel, ETHICAL EMPIRE, and keep reading our exciting blogs. Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security. See you soon, bye!
