HijackLoader updated: CrowdStrike reveals the latest evasion techniques

Teacher

Teacher

Professional
Messages
2,670
Reaction score
775
Points
113
What mechanisms allow hackers to be invisible to radar?

CrowdStrike has discovered that the authors of the HijackLoader downloader have added new methods to bypass security, as malware continues to be increasingly used by other attackers to deliver additional payloads and tools.

It is noted that the developer used the standard Process Hollowing technique in combination with an additional trigger that was activated when the parent process wrote to the channel. This approach can make evading defenses more subtle.

The second technique involves an unusual combination of Process Doppelganging and Process Hollowing techniques. The starting point of the multi-stage chain of attacks of the new HijackLoader variant is the executable file ("streaming_client.exe"), which checks for an active Internet connection and starts downloading the second stage configuration from the remote server.

The executable then loads the legitimate DLL specified in the configuration to activate the shellcode responsible for launching the HijackLoader payload. Actions are performed using a combination of the Process Doppelganging and Process Hollowing methods, which complicates analysis and increases the ability of HijackLoader to bypass security.

Then, the shellcode of the second stage of HijackLoader performs actions to disable webhooks using Heaven's Gate and injects the subsequent shellcode into cmd.exe. Heaven's Gate is a tool that allows malware to bypass endpoint security tools by calling 64-bit code in 32-bit Windows processes, effectively bypassing user hooks.

One of the key methods of HijackLoader evasion is the process injection mechanism Transacted Hollowing, in which transactions of the Windows file system are used to load and execute malicious code in the context of another process

Investing in new evasion capabilities for the HijackLoader (IDAT Loader) is potentially an attempt to make it more stealthy and invisible to the radar of traditional security solutions. The new methods signal both deliberate and experimental developments in existing evasion capabilities, as well as an increase in the complexity of analysis for threat researchers.
 
What happened to critical services around the world.

Critical businesses and services, including airlines, hospitals, rail networks and television stations, were disrupted around the world on Friday. This global technical glitch has affected Microsoft users.

In many countries, flights were canceled, employees were unable to access their systems, and in some cases customers were unable to pay for purchases with cards in stores. Although some of the problems were resolved within a few hours, many companies, websites, and airlines continued to have difficulty restoring operations.

What happened?
A series of disruptions swept across the world, causing the shutdown of information displays, login systems and broadcast networks.

The problem affecting most services was caused by a failed update from the American company CrowdStrike, specializing in cybersecurity. These systems are designed to protect users from hackers. Microsoft said it was aware of the issue affecting the machines running CrowdStrike Falcon.

Microsoft also previously reported a crash affecting users of Azure, its cloud system, in the US. Some users may have suffered from both crashes. Even after CrowdStrike released the fix, some systems still remained faulty, as businesses needed to manually update their systems to resolve the issue.

George Kurtz, president and CEO of CrowdStrike, said Friday morning that some systems may take some time to recover.

What was affected?
Virtually all sectors, from airlines to banks and retail chains in various countries, were affected by this failure.

In Australia, passengers were stuck in long lines at Sydney Airport as information screens stopped working and the national TV channel's broadcast was interrupted. There were delays and cancellations at airports in the UK, Germany and Taiwan. At one of the airports in South Korea, passengers were manually issued boarding passes.

Flight disruptions continued at some U.S. airports due to a chain reaction of cancellations and delays. The U.S. Federal Aviation Administration said shutdowns and delays will be "intermittent" while airlines deal with residual technological problems.

The outage also affected 911 emergency lines in several states, but most of the problems with emergency systems appeared to have resolved by mid-morning. In Germany, several hospitals canceled elective surgeries, and in the UK, some National Health Service doctors were unable to access the systems. Sky News, a major news channel in the UK, was unable to operate, and in some Waitrose supermarkets, customers were unable to pay for purchases with their cards.

Some banks, including JPMorgan Chase, experienced delays in processing transactions because bankers were unable to log in to their operating systems. People at the Disneyland Paris amusement park also experienced problems, as the screens displaying the waiting time for rides did not work.

However, the problems were not widespread. London's Heathrow Airport said its flights were continuing to operate. The London Stock Exchange said it could not publish news updates, but the exchange itself, where trading is conducted, is operating normally. The auction system of the Norwegian central bank was briefly interrupted, but other major central banks, such as the European Central Bank and the Bank of England, said their systems were not affected.

In some cases, problems were resolved relatively quickly. In Ukraine, Sense Bank and mobile operator Vodafone reported short-term problems with their services. At Dubai International Airport, two airlines switched to alternative systems, which allowed operations to resume. At approximately 5am US Eastern time, American Airlines said it had restored its operations, and a few hours later Delta Air Lines said it had resumed flights.

Large grocery chains in the United States, as it turned out, were practically not affected. Texas-based grocery chain H-E-B said all of its stores were operating normally, and a spokeswoman for Ahold Delhaize, which owns brands such as Giant, Food Lion and Hannaford, also said the stores were operating as normal.

Who is to blame?
Kurtz said that CrowdStrike released a system update with a bug that caused problems for Microsoft users. He noted that Mac and Linux users were not affected.

"This is not a security incident or a cyberattack," he said. "The issue has been identified, isolated, and a fix has already been released."

Kurtz said on NBC's "Today" program that his company accepts responsibility for the software bug that caused the crash. He warned that fixing the problem might take some time.

Microsoft also provided users with troubleshooting recommendations, including restoring backup systems, on the service page that tracks issues with Azure.

Source
 
Instructions and tips for restoring the system.

CrowdStrike actively works with customers affected by a defect in one of the updates for Windows hosts. Hosts on Mac and Linux are not affected. It is important to note that the incident is not a cyberattack.

The problem has been identified, isolated, and the solution has already been deployed. Customers are encouraged to visit the support portal for the latest updates and follow the updates on the company's blog .

Organizations should communicate with CrowdStrike representatives through official channels.

The CrowdStrike team is fully mobilized to ensure the security and stability of client systems. The company is aware of the gravity of the situation and apologizes for any inconvenience or disruption. CrowdStrike works with all affected customers to restore systems and resume the provision of services.

CrowdStrike confirms the normal functioning of the Falcon platform. The issue does not affect the platform's systems. During normal operation of the systems, installing Falcon Sensor will not affect their protection.

A technical report is provided with additional information about the issue and troubleshooting steps for organizations. The company will continue to provide updates to the community and industry as they become available.

Details​

  • Symptoms include the bugcheck\blue screen error associated with the Falcon Sensor.
  • Windows hosts that are not affected by the problem do not require any action, since the problem channel file has been reverted to the previous version.
  • Windows hosts connected after 0527 UTC will also not be affected.
  • The problem does not affect hosts on Mac or Linux.
  • The channel file "C-00000291*. sys" with the timestamp 0527 UTC or later is a corrected version.
  • The channel file "C-00000291*. sys" with the timestamp 0409 UTC is the problematic version.
Note: Having multiple "C-00000291*.sys" files in the CrowdStrike directory is normal - if at least one file has the timestamp 0527 UTC or later, it will be the active content.

Current actions​

  • CrowdStrike engineers found that the content deployment was related to the problem and returned the changes.
  • If hosts continue to crash and cannot stay online to receive changes to the channel file, you can use the troubleshooting steps below.
  • CrowdStrike confirms normal operation. The problem does not affect the Falcon platform systems. During normal operation of the systems, installing Falcon Sensor will not affect their protection. Falcon Complete and OverWatch services are not affected by the incident.

Search for affected hosts using Advanced Event search​

Check out this KB article (pdf).

Dashboard​

A dashboard is available that displays affected channels, CIDs, and sensors. Depending on subscriptions, the panel is available in the console menu:
  • Next-GEN SIEM > Dashboard or;
  • Investigate > Dashboards
  • Название: hosts_possibly_impacted_by_windows_crashes
Note: The dashboard cannot be used with the"Live" button

Automated recovery articles:​

Check out this article (pdf).

Troubleshooting steps for individual hosts:​

  1. Restart the host to download the returned channel file. It is recommended that you connect the host to a wired network before rebooting for a faster internet connection.
  2. If the host crashes again:
    • Boot Windows in Safe mode or in the Windows Recovery Environment
    • Go to %WINDIR%\System32\drivers\CrowdStrike
    • Find the file "C-00000291*.sys" and delete it
    • Completely restart the host (turn it off and start it from the disabled state)
Note: Hosts encrypted with BitLocker may require a recovery key.

Troubleshooting steps for a public cloud or similar environment:​

Option 1:​

  1. Disconnect the operating system disk volume from the affected virtual server
  2. Create a snapshot or backup of the disk volume
  3. Connect the volume to the new virtual server
  4. Go to %WINDIR%\System32\drivers\CrowdStrike
  5. Find the file "C-00000291*.sys" and delete it
  6. Disconnect the volume from the new virtual server
  7. Connect the patched volume to the affected virtual server

Option 2:​

  • Go back to the image taken before 0409 UTC.

Additional resources:​


Source
 
You must log in or register to reply here.

Similar threads

Father
Updated HijackLoader uses PNG images to bypass antivirus programs
Replies
0
Views
226
Father
Father
Man
Invisible virus: GHOSTPULSE hides in the pixels of ordinary images
Replies
0
Views
142
Man
Man
chushpan
💻 VMware security flaws are being exploited in the wild - Broadcom releases urgent fixes
Replies
0
Views
137
chushpan
chushpan
chushpan
🎃 Hackers Use ClickFix Trick to Deploy Havoc C2 PowerShell System via SharePoint Sites
Replies
0
Views
105
chushpan
chushpan
Man
Early Cascade Injection: A New Attack Method Changes Everything
Replies
0
Views
100
Man
Man
Back
Top