The HijackLoader downloader is becoming increasingly popular among threat actors, which is why analysts from the ThreatLabZ team have now examined this malware, which has been appearing since July 2023, in more detail.
Due to its modular architecture, the loader is able to use a variety of modules for code injection and execution. Based on Zscaler telemetry data, HijackLoader poses a high threat potential as it can be used to load various malware families such as Danabot, SystemBC, and RedLine Stealer. It uses embedded modules for code injection, which allow flexibility and deviate from the approach of traditional loaders.
Evasion Techniques Against Detection
The loader begins executing a modified Windows C Runtime (CRT) function. During its initialization phase, the loader determines whether the final payload is embedded in the binary or whether it needs to download it from an external server. To achieve this, it contains an encrypted configuration. Additionally, a number of evasion techniques are used to avoid detection. Examples of these techniques include dynamically loading Windows API functions by exploiting a custom API hashing technique or performing an HTTP connection test against a legitimate website (e.g. mozilla.org).
If a connection cannot be established, HijackLoader will not continue execution and will enter an infinite loop until a connection is established. Also, at the first stage, the existence of a number of running processes of security solutions is checked. Depending on which processes are found, the loader performs different delay functions.
HijackLoader checks for existing security packages
HijackLoader localizes the second stage payload (i.e. the ti module) incrementally. To do this, it analyzes the decrypted configuration block that it received in the initialization phase. Then HijackLoader finds the encrypted payload URL and decrypts it using a bitwise XOR operation. It then downloads the payload and checks for the presence of the signature (contained in the configuration block) in the data.
If validation is successful, the payload is written to disk. Now the loader looks for encrypted blobs using the second marker. Each marker represents the beginning of an encrypted blob along with the size of the blob (which is stored before each occurrence). Also, the XOR key is behind the offset of the first encrypted blob. Once all encrypted blobs have been extracted, they are chained together and decrypted using the XOR key. Finally, the decrypted payload is decompressed using the LZNT1 algorithm.
After the decryption comes the reinforcement
Various modules are then downloaded. Finally, the embedded payload is decrypted using a bitwise XOR operation, where the key is derived from the first 200 bytes. HijackLoader's shellcode then proceeds to inject or directly execute the decrypted payload. Which technique the shellcode uses depends on various factors, such as: B. the file type of the payload and a “flag” stored in the settings that indicates the injection method to use.
In summary, HijackLoader is a modular loader with evasion techniques that offers a variety of loading options for malicious payloads. Even if the quality of the code is poor, security researchers at Zscaler warn against the new loader given its increasing popularity. They expect code improvements and continued use by more threat actors, particularly to fill the gap left by Emotet and Qakbot. The Zscaler Cloud Sandbox detects HijackLoader based on a variety of indicators and blocks the activities. The full technical analysis can be read on the ThreatLabZ blog.
More at Zscaler.com
About Zscaler Zscaler accelerates digital transformation so customers can become more agile, efficient, resilient, and secure. Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting people, devices, and applications anywhere. The SSE-based Zero Trust Exchange is the world's largest inline cloud security platform, distributed across 150+ data centers around the world.