New Hijack Loader Attack Windows with Enhanced Anti-Evasion Capabilities

Security researchers from ANY.RUN maintain identified a unusual version of the Hijack Loader malware, which now boasts updated anti-evasion tactics. This trend marks a critical evolution in the malware’s ability to withhold far from detection and enhance its stealth operations.

Hijack Loader, in most cases identified as IDAT Loader, first appeared in September 2023 and has since obtained critical traction. It’s miles currently ranked because the sixth most detected malware in the ANY.RUN Trends Tracker, basically based on public sandbox submissions.

The latest iteration of Hijack Loader decrypts and parses a PNG describe to load its second-stage payload. This second stage parts a modular structure geared toward injecting the principle instrumentation module.

To crimson meat up its stealth capabilities, the malware employs several sophisticated tactics:

• Avoids Inline API Hooking: This overall detection draw is now bypassed by safety gadget.
• Home windows Defender Exclusion: The malware adds an exclusion for Home windows Defender antivirus.
• Person Account Aid watch over (UAC) Bypass: It successfully bypasses UAC.
• Route of Hollowing: This technique is outdated to inject malicious code into legit processes.

In March and April 2024, safety researchers identified seven unusual modules linked to this malware.

Detection and Prognosis

ANY.RUN sandbox can detect Hijack Loader the exhaust of YARA principles. The platform offers detailed diagnosis sessions, showcasing the malware’s behaviour.

As an instance, in a present diagnosis, the second-stage payload did now now not net since the Say and Aid watch over (C2) server became once lazy.

Standard Payloads Delivered by Hijack Loader:

• Amadey
• Lumma Stealer
• Meta Stealer
• Raccoon Stealer V2
• Remcos RAT
• Rhadamanthys

Most fashionable Indicators of Compromise (IOCs)

Researchers maintain light basically the latest IOCs for Hijack Loader from the Malware Trends Tracker. These artifacts are dynamically updated with unusual public diagnosis sessions on ANY.RUN.

IPs:

• 185.215.113.67
• 193.233.132.139
• 185.172.128.76

Hashes:

• 86BCCBACD8E9FDE23FF236155EE47F866DD7DD51C6129ED340034810A10705B3
• 0AE58BE8D7058E40926FDB51B76043D109B96B91AA9FA2950DBB8A3626185E0F
• A38DA72082FC2DC1F60B3B245E1F2382D5F8C1D08EBC397DD0D81CC9F74EBBE6

URLs:

• mail.zoomfilms-cz[.]com
• discussiowardder[.]online page
• wxt82[.]xyz

About ANY.RUN

ANY.RUN is a number one interactive sandbox platform outdated by over 400,000 cybersecurity mavens worldwide. It simplifies malware diagnosis for threats focusing on both Home windows and Linux programs. The platform’s threat intelligence merchandise, including TI Look up, Yara Search, and Feeds, relieve users fetch IOCs or info to raised perceive threats and respond to incidents more effectively.

Advantages of ANY.RUN

• Posthaste Detection: Detects malware within approximately 40 seconds of file upload the exhaust of YARA and Suricata principles.
• Staunch-Time Interplay: Lets in users to work in conjunction with samples in right-time, simulating a right machine atmosphere.
• Value-Efficient: Eliminates the need for setup or upkeep, saving time and money.
• Entire Prognosis: Provides detailed insights into malware habits, including network web site web site visitors, machine calls, and file machine changes.
• Workforce Collaboration: Facilitates easy sharing of diagnosis outcomes and enables senior analysts to overview junior analysts’ work.
• Scalability: As a cloud provider, it permits for straightforward scaling by adding more licenses.