HijackLoader has emerged as a new malware loader that's been gaining traction in recent months. Its modular architecture sets it apart from other malware loaders, allowing it to utilize a variety of modules for code injection and execution. This capability has made it a preferred choice for loading various malware families, including Danabot, SystemBC, and RedLine Stealer.
Its rising popularity suggests that threat actors might increasingly adopt it, potentially filling the gap left by malware like Emotet and Qakbot. As always, staying vigilant and updated on such threats is crucial for maintaining cybersecurity.
Technical Insights and Key Findings
Zscaler's ThreatLabz first observed HijackLoader in July 2023. The loader has been instrumental in dropping multiple malware families, amplifying its potential threat. One of its distinctive features is its use of syscalls to dodge monitoring from security solutions. It also detects specific processes based on an embedded blocklist and can delay code execution at different stages.
HijackLoader's embedded modules offer flexible code injection and execution, a feature that's not common among traditional loaders. The malware's modular design allows it to be versatile, adapting to various tasks and evading detection more effectively.
How HijackLoader Works
Upon execution, HijackLoader initiates by determining if the final payload is embedded in the binary or if it needs to be downloaded from an external server. It includes an encrypted configuration that stores various information, such as Windows API hashes for dynamic loading and parameters for several Windows API functions.
The malware employs several anti-analysis techniques, including dynamic loading of Windows API functions using a custom API hashing technique. It also performs an HTTP connectivity test to a legitimate website, like Mozilla, and delays code execution at different stages based on the presence of specific processes.
HijackLoader's modules aid in the code injection and execution process of the final payload. These modules have been identified by ThreatLabz, with each having specific functionalities. For instance, the AVDATA module contains a blocklist of security products' process names, while the ESLDR module assists with code injection of the main instrumentation shellcode.