What mechanisms allow hackers to be invisible to radar?
CrowdStrike has discovered that the authors of the HijackLoader downloader have added new methods to bypass security, as malware continues to be increasingly used by other attackers to deliver additional payloads and tools.
It is noted that the developer used the standard Process Hollowing technique in combination with an additional trigger that was activated when the parent process wrote to the channel. This approach can make evading defenses more subtle.
The second technique involves an unusual combination of Process Doppelganging and Process Hollowing techniques. The starting point of the multi-stage chain of attacks of the new HijackLoader variant is the executable file ("streaming_client.exe"), which checks for an active Internet connection and starts downloading the second stage configuration from the remote server.
The executable then loads the legitimate DLL specified in the configuration to activate the shellcode responsible for launching the HijackLoader payload. Actions are performed using a combination of the Process Doppelganging and Process Hollowing methods, which complicates analysis and increases the ability of HijackLoader to bypass security.
Then, the shellcode of the second stage of HijackLoader performs actions to disable webhooks using Heaven's Gate and injects the subsequent shellcode into cmd.exe. Heaven's Gate is a tool that allows malware to bypass endpoint security tools by calling 64-bit code in 32-bit Windows processes, effectively bypassing user hooks.
One of the key methods of HijackLoader evasion is the process injection mechanism Transacted Hollowing, in which transactions of the Windows file system are used to load and execute malicious code in the context of another process
Investing in new evasion capabilities for the HijackLoader (IDAT Loader) is potentially an attempt to make it more stealthy and invisible to the radar of traditional security solutions. The new methods signal both deliberate and experimental developments in existing evasion capabilities, as well as an increase in the complexity of analysis for threat researchers.
CrowdStrike has discovered that the authors of the HijackLoader downloader have added new methods to bypass security, as malware continues to be increasingly used by other attackers to deliver additional payloads and tools.
It is noted that the developer used the standard Process Hollowing technique in combination with an additional trigger that was activated when the parent process wrote to the channel. This approach can make evading defenses more subtle.
The second technique involves an unusual combination of Process Doppelganging and Process Hollowing techniques. The starting point of the multi-stage chain of attacks of the new HijackLoader variant is the executable file ("streaming_client.exe"), which checks for an active Internet connection and starts downloading the second stage configuration from the remote server.
The executable then loads the legitimate DLL specified in the configuration to activate the shellcode responsible for launching the HijackLoader payload. Actions are performed using a combination of the Process Doppelganging and Process Hollowing methods, which complicates analysis and increases the ability of HijackLoader to bypass security.
Then, the shellcode of the second stage of HijackLoader performs actions to disable webhooks using Heaven's Gate and injects the subsequent shellcode into cmd.exe. Heaven's Gate is a tool that allows malware to bypass endpoint security tools by calling 64-bit code in 32-bit Windows processes, effectively bypassing user hooks.
One of the key methods of HijackLoader evasion is the process injection mechanism Transacted Hollowing, in which transactions of the Windows file system are used to load and execute malicious code in the context of another process
Investing in new evasion capabilities for the HijackLoader (IDAT Loader) is potentially an attempt to make it more stealthy and invisible to the radar of traditional security solutions. The new methods signal both deliberate and experimental developments in existing evasion capabilities, as well as an increase in the complexity of analysis for threat researchers.
