HijackLoader Using Weaponized PNG Files To Deliver Multiple Malware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

HijackLoader, a modular malware loader observed in 2023, is evolving with new evasion techniques, as it is a variant using a PNG image to deliver next-stage malware like Amadey and Racoon Stealer. 

The variant includes new modules (modCreateProcess, modUAC) for process creation, UAC bypass, and anti-hooking (Heaven’s Gate).

It also uses dynamic API resolution and blacklisting to evade detection, while researchers created a Python script to extract configuration and modules from HijackLoader samples.


Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

It’s first stage dynamically resolves APIs by traversing the PEB and parsing the PE header by utilizing the SDBM hashing algorithm to find WinHTTP APIs and check for internet connectivity using a specific URL. 

The loader then uses a simple addition to decrypt the embedded shellcode, and it then receives authorization to run before running. 

SDBM hashing algorithm

HijackLoader, a malware loader, uses blocklists to identify antivirus software and delay its execution. It then employs two methods for second-stage loading.

The first checks for a pre-defined value embedded in the malware and compares it with a calculated value. 

If they match, an embedded PNG containing encrypted modules is used. Otherwise, the research said a downloaded PNG is used, and the malware searches for the PNG’s IDAT and magic headers to locate the modules.

An embedded PNG image containing the encrypted modules used by HijackLoader in a PNG viewer.

Encrypted blobs within the PNG are decrypted using a key and decompressed with LZNT1. Finally, a specified DLL is loaded, and a module named “ti” is located and injected for execution. 

The decompiled output for the injection of the second stage.

The second stage injects the main payload using multiple modules for increased stealth, which include functionalities like UAC bypass, Windows Defender exclusion, and process hollowing. 

The first module, ti, dynamically resolves APIs and checks for a specific mutex, then copies itself to the appropriate location if needed and employs Heaven’s Gate to bypass user-mode hooks. 

After that, it injects the main instrumentation module into a designated process (e.g., cmd.exe) using process hollowing, then decrypts and executes the final payload.  

HijackLoader using Heaven’s Gate to execute a x64 direct syscall.

Researchers at Zscaler analyzed HijackLoader samples to identify distributed malware. Amadey, a Trojan capable of data collection and further malware loading, was the most prevalent at 52.9%. 

Other distributed malware families included the information stealers Lumma Stealer, Racoon Stealer v2, and Meta Stealer, which targeted various data like passwords, crypto wallets, and browser information. Remcos, a Remote Access Trojan, enabled backdoor access.

A pie chart showing the different malware families distributed by HijackLoader.

Rhadamanthys is another information stealer targeting a broader range of data, including wallets, emails, and messaging apps. 

It not only delivers a number of threats, such as Amadey, Lumma Stealer, and Remcos RAT, but it also decrypts and extracts information from a PNG image in order to load its second stage, which is the Ti module.