Share this article on:
CrowdStrike researchers have gotten hold of a vastly improved and stealthy version of HijackLoader – here’s how it works.
Security researchers have put a sample of a popular malware tool through its paces in a test environment and have found a slew of improved evasion techniques in this particular version.
HijackLoader is a relative newcomer on the malware scene, first being observed in use in the last half of 2023. As the name suggests, HijackLoader isn’t malicious in and of itself, but it is used to deliver several malicious payloads, including info stealers.
The malware was already relatively stealthy and capable of evading detection, but the version CrowdStrike has been analysing is even trickier when it comes to remaining undetected.
The latest version of the malware uses a complex, multistage process to deploy its payloads. In particular, this version uses a process hollowing technique in tandem with HijackLoader writing to a pipe. In addition, a second technique combines process doppelganging with process hollowing, which adds even more complexity to the challenge of analysing the threat.
HijackLoader’s first stage takes advantage of dynamic API resolution to guard against static analysis, while checking for an active internet connection and attempting to connect to several URLs to retrieve a second-stage configuration blob, which is then decompressed. A shellcode is then written to a separately downloaded DLL and then executed, performing further evasion techniques in the following stages, as CrowdStrike describes.
“The primary evasion techniques employed by the HijackLoader include hook bypass methods such as Heaven’s Gate and unhooking by remapping system DLLs monitored by security products,” CrowdStrike’s researchers said in a blog post. “Additionally, the malware implements variations of process hollowing and an injection technique that leverages transacted hollowing, which combines the transacted section and process doppelgänging techniques with DLL hollowing.”
In Windows and Windows on Windows 64-bit, or WOW64, Heaven’s Gate refers to the process of transitioning from 32-bit code to 64-bit and is used in this case to bypass any hooks made by security products in the x64 ntdll.
“One key distinction between this implementation and the typical ‘standard’ process hollowing can be observed here: In standard process hollowing, the child process is usually created in a suspended state,” according to CrowdStrike.
“In this case, the child is not explicitly created in a suspended state, making it appear less suspicious. Since the child process is waiting for an input from the pipe created previously, its execution is hanging on receiving data from it. Essentially, we can call this an interactive process hollowing variation.”
Both the third and fourth stages of the malware leverage popular pen-testing tool Cobalt Strike, writing another shellcode stage, written into logagent.exe and cmd.exe, respectively.
Sadly, it appears that HijackLoader remains in development.
“HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities,” CrowdStrike said.