HijackLoader uses Modular Architecture for Payloads

A recently emerging malware loader, HijackLoader, is gaining popularity within the cybercriminal community for distributing various malicious payloads like DanaBot, SystemBC, and RedLine Stealer.

According to findings by Zscaler ThreatLabz researcher Nikolaos Pantazopoulos, “while HijackLoader lacks advanced features, it stands out due to its modular architecture, enabling it to employ multiple modules for code injection and execution, a capability not common in most loaders.”

Image Description: Lightning Framework, modular Linux malware

History of HijackLoader

The company spotted this malware in July 2023 and employed various tactics to avoid detection. These tactics involve using 

• Syscalls to elude security solution monitoring, 
• Checking for security software-related processes using an embedded blocklist and
• Delaying code execution by up to 40 seconds at different stages.

Have we found the Initial Access Point?

The specific method used for initial access to infiltrate targets is currently unknown. Despite its anti-analysis features, HijackLoader includes a primary instrumentation module that facilitates flexible code injection and execution through embedded modules.

New dangerous malware called HijackLoader is spreading. It carries harmful programs and tricks to hide from security. It delivers nasty payloads like DanaBot, SystemBC, and RedLine Stealer. #CyberSecurityAwareness pic.twitter.com/vVsH4BWpHu

— Kenya CyberSecurity & Forensics Association: KCSFA (@kcsfa) September 11, 2023

To maintain persistence on the compromised host, the malware creates a shortcut file (LNK) in the Windows Startup folder, directing it to a Background Intelligent Transfer Service (BITS) job.

“HijackLoader is a modular loader with evasion techniques, offering multiple loading options for malicious payloads,” noted Pantazopoulos. “However, it lacks advanced features, and the quality of the code is subpar.”

Two cents on the event

These developments are part of an evolving cybercrime landscape, where data-stealing infections are a primary method used by threat actors to infiltrate organizations and carry out post-exploitation activities.

It’s no surprise that cybercriminals are continually introducing new data-stealing malware strains that offer a range of functionalities to maximize their impact. 

Your aim must be to be secure at your end.