Cybersecurity researchers have discovered an updated version of a malware loader called Hijack Loader that implements new features to avoid detection and establish the persistence of compromised systems.
“Hijack Loader has released a new module that implements call stack poofing to hide the origin of function calls (such as APIs and system calls),” Zscaler Threatlabz researcher Muhammed Irfan Va said in an analysis. “The Hijack Loader has added a new module to perform anti-VM checks to detect malware analysis environments and sandboxes.”
First discovered in 2023, Hijack Loader offers the ability to provide second-stage payloads, such as information Stealer malware. It also comes with various modules for bypassing security software and injecting malicious code. Hijack Loader is tracked by the broader cybersecurity community under the names Doiloader, GhostPulse, Idat Loader and Shadowladder.
In October 2024, Harfanglab and Elastic Security Labs detailed hijacking loader campaigns that utilize legitimate code signing certificates and the infamous Clickfix strategy for distributing malware.
The latest iteration of Loader has many improvements regarding its predecessor. Most notably, it adds call stack poofing as an evasion tactic to hide the origins of APIs and system calls.
“This technique hides the presence of malicious calls within the stack by crossing the stack using a chain of EBP pointers and replacing the actual stack frame with the manufactured frame,” says Zscaler.
Like previous versions, the hijacking loader utilizes heavenly gate techniques to run a 64-bit direct system for process injection. Other changes include modifying the list of blocklist processes and delaying execution by 5 seconds, including Avast Antivirus component “Avastsvc.exe”.
The malware also includes two new modules: antIVM for detecting virtual machines and ModTask for setting persistence via scheduled tasks.
Findings show that hijackloaders are still actively maintained by operators with the intention of complicating analysis and detection.
Shelby Malware uses GitHub for command and control
The development details the new family of malware called Shelby, where Elastic Security Labs uses Command and Control (C2), Data Removal and Remote Control using GitHub. Activities are tracked as Ref8685.
The attack chain involves using phishing emails to distribute ZIP archives containing .NET binaries used to run DLL loaders tracked as Shelbyloader (“httpservice.dll”) via DLL sideload. The email messages were delivered to Iraq-based telecommunications companies through highly targeted phishing emails sent from within the target organization.
The loader then begins communicating with C2’s GitHub to extract a specific 48-byte value from a file named “License.txt” in the attacker-controlled repository. It then generates an AES decryption key using the value, decrypts the main backdoor payload (“httpapi.dll”) and loads it into memory without leaving any detectable artifacts on disk.
“Shelbyloader uses sandbox detection technology to identify virtualized or monitored environments,” Elastic says. “When executed, the results are sent back to C2. These results are packaged as log files to detail whether each detection method has successfully identified the sandbox environment.”
Shelbyc2 backdoor downloads/uploads commands listed in another file named “command.txt” from the github repository, reflexively loads the .net binaries, and runs the powershell command. What is noteworthy here is that the use of personal access tokens (PATs) causes C2 communications to occur through commitments to private repositories.
“The way malware is set up means that anyone with a PAT (Personal Access Token) can theoretically obtain commands sent by the attacker and access the command output from the victim machine,” the company said. “This is because the putt token is embedded in the binary and anyone who gets it can use it.”
Emmenhtal spreads the smoke tray via 7-ZIP file
It has also been observed that phishing emails with payment-themed lures offer a family of malware loaders called Emmental Loaders (aka Peaklight), which acts as a conduit for deploying another malware known as Smoke Loaders.
“One of the noteworthy techniques observed in this smoke roller sample is the use of .NET reactors, a commercially available .NET protection tool used for obfuscation and packaging,” GDATA said.
“Smokeloader historically utilizes packers such as Temida, Enigma Protectors and Custom Cryptors, but the use of .NET reactors is consistent with trends seen in other malware families, particularly steelers and loaders, due to their powerful anti-analytic mechanisms.”
Source link
