The famous "Heaven's Gate" technique opens the door to the world of malware.
Recently, cybersecurity experts noticed a new version of the HijackLoader malware, which now includes improved methods for countering analysis. This allows the malware to remain undetected in compromised networks for longer periods of time.
Researchers from the company Zscaler in their technical report reported that the new features are aimed at increasing the stealth of malware. For example, HijackLoader, also known as IDAT Loader, can now add exceptions to the Windows Defender antivirus, bypass user account control (UAC), avoid intercepting the API, which is often used by antivirus programs for detection, and use the "Process Hollowing"technique.
First spotted in September 2023, HijackLoader has already been used to distribute various malware families, including Amadey, Lumma Stealer, Meta Stealer, Racoon Stealer V2, Remcos RAT, and Rhadamanthys.
Special attention is drawn to the latest version of the downloader, which uses the method of decoding and analyzing the PNG image to download the next stage of malware. This technique was first described by Morphisec in connection with a campaign targeting a number of locations in Finland.
The first stage of the loader is responsible for extracting and running the second stage from the PNG image, which can be embedded in it or downloaded separately, depending on the malware configuration. To increase stealth, the second stage uses additional techniques to counter analysis using several different modules at once.
Another feature of the latest versions of malware is the use of the "Heaven's Gate" technique to bypass user — mode locks, which was announced by CrowdStrike in February 2024.
Amadey remains the most common family of malware delivered using HijackLoader. New modules integrated into the loader enhance its capabilities and make it even more resistant to detection.
Recently, there has also been a proliferation of other malware through advertising and phishing, including the DarkGate, FakeBat, and GuLoader families, as well as the emergence of the TesseractStealer data thief, which uses optical character recognition to extract text from images.
Recently, cybersecurity experts noticed a new version of the HijackLoader malware, which now includes improved methods for countering analysis. This allows the malware to remain undetected in compromised networks for longer periods of time.
Researchers from the company Zscaler in their technical report reported that the new features are aimed at increasing the stealth of malware. For example, HijackLoader, also known as IDAT Loader, can now add exceptions to the Windows Defender antivirus, bypass user account control (UAC), avoid intercepting the API, which is often used by antivirus programs for detection, and use the "Process Hollowing"technique.
First spotted in September 2023, HijackLoader has already been used to distribute various malware families, including Amadey, Lumma Stealer, Meta Stealer, Racoon Stealer V2, Remcos RAT, and Rhadamanthys.
Special attention is drawn to the latest version of the downloader, which uses the method of decoding and analyzing the PNG image to download the next stage of malware. This technique was first described by Morphisec in connection with a campaign targeting a number of locations in Finland.
The first stage of the loader is responsible for extracting and running the second stage from the PNG image, which can be embedded in it or downloaded separately, depending on the malware configuration. To increase stealth, the second stage uses additional techniques to counter analysis using several different modules at once.
Another feature of the latest versions of malware is the use of the "Heaven's Gate" technique to bypass user — mode locks, which was announced by CrowdStrike in February 2024.
Amadey remains the most common family of malware delivered using HijackLoader. New modules integrated into the loader enhance its capabilities and make it even more resistant to detection.
Recently, there has also been a proliferation of other malware through advertising and phishing, including the DarkGate, FakeBat, and GuLoader families, as well as the emergence of the TesseractStealer data thief, which uses optical character recognition to extract text from images.
