A new malware loader known as HijackLoader is increasingly being adopted by cybercriminals to deploy various payloads, including information-stealing software such as DanaBot, SystemBC, and RedLine Stealer. First identified in July 2023, HijackLoader distinguishes itself with a modular architecture that allows for adaptable code injection and execution. This characteristic is relatively rare among loaders, making it a notable tool in the cyber threat landscape.
According to Nikolaos Pantazopoulos, a researcher at Zscaler ThreatLabz, HijackLoader, while lacking advanced functions, employs several evasive techniques to avoid detection by security measures. These methods include using system calls to circumvent monitoring, observing processes linked to security software via an internal blocklist, and delaying code execution by up to 40 seconds at various phases. The malware’s precise initial access method remains unidentified, but its design indicates a main instrumentation module that enhances its capabilities for flexible code manipulation.
Notably, the implementation of persistence on compromised machines is achieved through the creation of a shortcut file (LNK) in the Windows Startup folder, linking it to a Background Intelligent Transfer Service (BITS) job. This method ensures that HijackLoader re-establishes its presence each time the system is started, indicative of the persistence tactics outlined in the MITRE ATT&CK framework.
In related developments, Flashpoint has reported an update to RisePro, a stealthy information-stealing malware previously distributed via the PrivateLoader pay-per-install service. Initially introduced in December 2022, RisePro claims to amalgamate the most effective features of existing stealers, such as RedLine and Vidar, to create a powerful data exfiltration tool. The seller of this malware now promises an additional user benefit: customer-hosted panels to protect against potential log theft.
RisePro, developed in C++, is particularly adept at harvesting sensitive information from infected systems for transmission to a command-and-control (C&C) server. The malware typically records logs of the captured data, underscoring its role in data exfiltration and reflecting techniques such as credential dumping—often associated with initial access and lateral movement in the MITRE ATT&CK framework.
Moreover, a newly discovered information stealer, engineered in Node.js, is making rounds by masquerading as a legitimate product through social engineering tactics like deceptive advertisements on social media platforms. This stealer intercepts cookies and credentials from various Chromium-based browsers, subsequently sending the data to the C&C server via a Telegram bot. Such tactics align with various MITRE techniques for data collection, proving the evolving sophistication of malware deployment strategies.
As the digital landscape grows increasingly perilous, the cybercrime ecosystem showcases a constant evolution of threats. Notably, the encroachment of stealer malware into diverse sectors points to its effectiveness as a primary method of infiltration used by threat actors to achieve their objectives. The emergence of new strains, such as the Python-based Prysmax, underscores a trend among cybercriminals to develop versatile tools that combine multiple functionalities aimed at maximizing impact while minimizing detection. The recent reports reflect heightened awareness and responsiveness needed among organizations to guard against these sophisticated cyber threats, reinforcing the necessity of vigilant cybersecurity practices.
Ultimately, as businesses face an escalating array of cyber risks, the importance of implementing comprehensive security measures against malware, including regular updates and employee training, cannot be overstated. Businesses must remain proactive in adapting their defenses to counteract the relentless evolution of cyber threats.
