Cybersecurity researchers have found an up to date model of a malware loader known as Hijack Loader that implements new options to evade detection and set up persistence on compromised techniques.
“Hijack Loader launched a brand new module that implements name stack spoofing to cover the origin of operate calls (e.g., API and system calls),” Zscaler ThreatLabz researcher Muhammed Irfan V A said in an evaluation. “Hijack Loader added a brand new module to carry out anti-VM checks to detect malware evaluation environments and sandboxes.”
Hijack Loader, first found in 2023, provides the power to ship second-stage payloads similar to info stealer malware. It additionally comes with quite a lot of modules to bypass safety software program and inject malicious code. Hijack Loader is tracked by the broader cybersecurity group beneath the names DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER.
In October 2024, HarfangLab and Elastic Safety Labs detailed Hijack Loader campaigns that leveraged legit code-signing certificates in addition to the notorious ClickFix technique for distributing the malware.
The newest iteration of the loader comes with quite a lot of enhancements over its predecessor, essentially the most notable being the addition of name stack spoofing as an evasion tactic to hide the origin of API and system calls, a technique just lately additionally embraced by one other malware loader referred to as CoffeeLoader.
“This system makes use of a sequence of EBP tips to traverse the stack and conceal the presence of a malicious name within the stack by changing precise stack frames with fabricated ones,” Zscaler mentioned.
As with earlier variations, the Hijack Loader leverages the Heaven’s Gate technique to execute 64-bit direct syscalls for course of injection. Different adjustments embody a revision to the listing of blocklisted processes to incorporate “avastsvc.exe,” a part of Avast Antivirus, to delay execution by 5 seconds.
The malware additionally incorporates two new modules, particularly ANTIVM for detecting digital machines and modTask for organising persistence through scheduled duties.
The findings present that Hijack Loader continues to be actively maintained by its operators with an intent to complicate evaluation and detection.
SHELBY Malware Makes use of GitHub for Command-and-Management
The event comes as Elastic Safety Labs detailed a brand new malware household dubbed SHELBY that makes use of GitHub for command-and-control (C2), knowledge exfiltration, and distant management. The exercise is being tracked as REF8685.
The assault chain entails the usage of a phishing e mail as a place to begin to distribute a ZIP archive containing a .NET binary that is used to execute a DLL loader tracked as SHELBYLOADER (“HTTPService.dll”) through DLL side-loading. The e-mail messages have been delivered to an Iraq-based telecommunications agency by a extremely focused phishing e mail despatched from inside the focused group.
The loader subsequently initiates communications with GitHub for C2 to extract a selected 48-byte worth from a file named “License.txt” within the attackers-controlled repository. The worth is then used to generate an AES decryption key and decipher the primary backdoor payload (“HTTPApi.dll”) and cargo it into reminiscence with out leaving detectable artifacts on disk.
“SHELBYLOADER makes use of sandbox detection methods to determine virtualized or monitored environments,” Elastic said. “As soon as executed, it sends the outcomes again to C2. These outcomes are packaged as log recordsdata, detailing whether or not every detection technique efficiently recognized a sandbox setting.”
The SHELBYC2 backdoor, for its half, parses instructions listed in one other file named “Command.txt” to obtain/add recordsdata from/to a GitHub repository, load a .NET binary reflectively, and run PowerShell instructions. What’s notable right here is the C2 communication happens by commits to the non-public repository by making use of a Private Entry Token (PAT).
“The best way the malware is ready up signifies that anybody with the PAT (Private Entry Token) can theoretically fetch instructions despatched by the attacker and entry command outputs from any sufferer machine,” the corporate mentioned. “It is because the PAT token is embedded within the binary and can be utilized by anybody who obtains it.”
Emmenhtal Spreads SmokeLoader through 7-Zip Recordsdata
Phishing emails bearing payment-themed lures have additionally been noticed delivering a malware loader household codenamed Emmenhtal loader (aka PEAKLIGHT), which acts as a conduit to deploy one other malware referred to as SmokeLoader.
“One notable method noticed on this SmokeLoader pattern is the usage of .NET Reactor, a business .NET safety software used for obfuscation and packing,” GDATA said.
“Whereas SmokeLoader has traditionally leveraged packers like Themida, Enigma Protector, and customized crypters, the usage of .NET Reactor aligns with traits seen in different malware households, significantly stealers and loaders, as a result of its sturdy anti-analysis mechanisms.”
Source link