CrowdStrike researchers have recently discovered a new variation of the HijackLoader malware, also known as IDAT Loader, which is being exploited by threat actors to carry out covert attacks. HijackLoader is a powerful tool that enables threat actors to inject malicious code into legitimate processes, allowing them to execute payloads stealthily and evade detection by security measures.
The malware has evolved with sophisticated techniques such as process hollowing, pipe-triggered activation, and a combination of process doppelganging, making it increasingly difficult to analyze and detect. Additionally, it employs extra unhooking techniques to further evade detection and analysis.
One of the advanced HijackLoader samples identified by CrowdStrike researchers starts with streaming_client.exe, which obfuscates a configuration to evade static analysis. After testing internet connectivity, it downloads a second-stage config from a remote server. The malware then hunts for PNG header bytes and a magic value, decrypts and decompresses them, loads a legitimate Windows DLL specified in the configuration, and writes the shellcode to its .text section for execution. To further evade user mode hooks, it utilizes Heaven’s Gate and injects more shellcode into cmd.exe.
The researchers also found that the third-stage shellcode injects a final payload, such as a Cobalt Strike beacon, into logagent.exe using process hollowing. The malware employs various evasion techniques, including hook bypass, process hollowing variations, and transacted hollowing for injection, making it a complex and stealthy threat.
The exploitation of HijackLoader highlights the importance of proactive cybersecurity measures to detect and prevent such covert attacks. Organizations should prioritize regular security audits, deploy robust endpoint protection, and stay updated on emerging threats to effectively defend against the evolving tactics employed by threat actors. Additionally, user education and awareness training are crucial in mitigating the risks associated with these sophisticated attack vectors.
In conclusion, the evolving sophistication of malware like HijackLoader underscores the need for continuous vigilance and adaptive security measures to protect against stealthy and complex cyber threats. Stay updated on cybersecurity news, whitepapers, and infographics by following reliable sources on social media platforms like LinkedIn and Twitter.