HijackLoader Using Weaponized PNG Files To Deliver Multiple Malware

by Esmeralda McKenzie
HijackLoader Using Weaponized PNG Files To Deliver Multiple Malware

HijackLoader Using Weaponized PNG Files To Deliver Multiple Malware

HijackLoader The use of Weaponized PNG Recordsdata To Bring Loads of Malware

HijackLoader, a modular malware loader seen in 2023, is evolving with new evasion ways, because it is a variant utilizing a PNG image to insist subsequent-stage malware worship Amadey and Racoon Stealer.

The variant contains new modules (modCreateProcess, modUAC) for course of advent, UAC bypass, and anti-hooking (Heaven’s Gate).

EHA

It also makes use of dynamic API decision and blacklisting to evade detection, while researchers created a Python script to extract configuration and modules from HijackLoader samples.

Doc

Integrate ANY.RUN in Your Firm for Efficient Malware Evaluation

Are you from SOC, Threat Be taught, or DFIR departments? If that is the case, you would possibly join an on-line neighborhood of 400,000 fair security researchers:

  • True-time Detection
  • Interactive Malware Evaluation
  • Straightforward to Learn by New Safety Team members
  • Safe detailed experiences with most records
  • Dwelling Up Virtual Machine in Linux & all Windows OS Variations
  • Work along with Malware Safely

In state for you to study all these parts now with entirely free discover admission to to the sandbox:

It’s first stage dynamically resolves APIs by traversing the PEB and parsing the PE header by utilizing the SDBM hashing algorithm to rep WinHTTP APIs and compare for web connectivity utilizing a insist URL.

The loader then makes use of a straightforward addition to decrypt the embedded shellcode, and it then receives authorization to bustle prior to running.

Capture%20(39)
SDBM hashing algorithm

HijackLoader, a malware loader, makes use of blocklists to identify antivirus method and extend its execution. It then employs two strategies for second-stage loading.

The principle assessments for a pre-outlined fee embedded in the malware and compares it with a calculated fee.

If they match, an embedded PNG containing encrypted modules is ancient. Otherwise, the be taught acknowledged a downloaded PNG is ancient, and the malware searches for the PNG’s IDAT and magic headers to locate the modules.

Capture%20(41)
An embedded PNG image containing the encrypted modules ancient by HijackLoader in a PNG viewer.

Encrypted blobs interior the PNG are decrypted utilizing a key and decompressed with LZNT1. Sooner or later, a specified DLL is loaded, and a module named “ti” is found and injected for execution.

Capture%20(42)
The decompiled output for the injection of the second stage.

The second stage injects the first payload utilizing extra than one modules for increased stealth, which embody functionalities worship UAC bypass, Windows Defender exclusion, and course of hollowing.

The principle module, ti, dynamically resolves APIs and assessments for a insist mutex, then copies itself to the correct location if wished and employs Heaven’s Gate to bypass particular person-mode hooks.

After that, it injects the first instrumentation module into a delegated course of (e.g., cmd.exe) utilizing course of hollowing, then decrypts and executes the final payload.

Capture%20(42)
HijackLoader utilizing Heaven’s Gate to stay a x64 dispute syscall.

Researchers at Zscaler analyzed HijackLoader samples to identify allotted malware. Amadey, a Trojan in a position to data sequence and extra malware loading, used to be the most prevalent at 52.9%.

Other allotted malware families incorporated the records stealers Lumma Stealer, Racoon Stealer v2, and Meta Stealer, which centered varied records worship passwords, crypto wallets, and browser records. Remcos, a A ways off Safe admission to Trojan, enabled backdoor discover admission to.

Capture%20(44)
A pie chart displaying the many malware families allotted by HijackLoader.

Rhadamanthys is but some other records stealer concentrating on a broader vary of data, at the side of wallets, emails, and messaging apps.

It no longer handiest delivers a desire of threats, equivalent to Amadey, Lumma Stealer, and Remcos RAT, however it also decrypts and extracts records from a PNG image in state to load its second stage, which is the Ti module.

Source credit : cybersecuritynews.com

Related Posts