The latest iteration of Hijack Loader decrypts and parses a PNG image to load its second-stage payload. This second stage features a modular architecture aimed at injecting the main instrumentation module.
To improve its stealth capabilities, the malware employs several sophisticated techniques:
-
Avoids Inline API Hooking: This common detection method is now bypassed by security software.
-
Windows Defender Exclusion: The malware adds an exclusion for Windows Defender antivirus.
-
User Account Control (UAC) Bypass: It successfully bypasses UAC.
-
Process Hollowing: This technique is used to inject malicious code into legitimate processes.
In March and April 2024, security researchers identified seven new modules associated with this malware.
Detection and Analysis
Common Payloads Delivered by Hijack Loader:
-
Amadey
-
Lumma Stealer
-
Meta Stealer
-
Raccoon Stealer V2
-
Remcos RAT
-
Rhadamanthys
Latest Indicators of Compromise (IOCs)
IPs:
-
185.215.113.67
-
193.233.132.139
-
185.172.128.76
Hashes:
-
86BCCBACD8E9FDE23FF236155EE47F866DD7DD51C6129ED340034810A10705B3
-
0AE58BE8D7058E40926FDB51B76043D109B96B91AA9FA2950DBB8A3626185E0F
-
A38DA72082FC2DC1F60B3B245E1F2382D5F8C1D08EBC397DD0D81CC9F74EBBE6
URLs:
-
mail.zoomfilms-cz[.]com
-
discussiowardder[.]website
-
wxt82[.]xyz
About ANY.RUN
-
Rapid Detection: Detects malware within approximately 40 seconds of file upload using YARA and Suricata rules.
-
Real-Time Interaction: Allows users to interact with samples in real-time, simulating a real system environment.
-
Cost-Effective: Eliminates the need for setup or maintenance, saving time and money.
-
Comprehensive Analysis: Provides detailed insights into malware behavior, including network traffic, system calls, and file system changes.
-
Team Collaboration: Facilitates easy sharing of analysis results and enables senior analysts to review junior analysts’ work.
-
Scalability: As a cloud service, it allows for easy scaling by adding more licenses.
