Researchers in the field of cybersecurity have identified an updated version of the Hijack Loader malware, which now incorporates new features designed to evade detection and maintain persistence on compromised systems.
According to an analysis by Zscaler ThreatLabz researcher Muhammed Irfan V A, “Hijack Loader has introduced a new module that utilizes call stack spoofing to conceal the origin of function calls, including API and system calls.” This technique is also employed by another malware loader known as CoffeeLoader. Additionally, Hijack Loader has implemented anti-VM checks to detect malware analysis environments and sandboxes.
Hijack Loader, initially discovered in 2023, is capable of delivering secondary payloads, such as information-stealing malware. It also features various modules to bypass security software and inject malicious code. The broader cybersecurity community tracks Hijack Loader under several names, including DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER.
In October 2024, HarfangLab and Elastic Security Labs detailed Hijack Loader campaigns that leveraged legitimate code-signing certificates and the ClickFix strategy for distributing the malware.
The latest version of the loader boasts several improvements over its predecessor, most notably the addition of call stack spoofing as an evasion tactic. This method involves using a chain of EBP pointers to traverse the stack and conceal the presence of malicious calls by replacing actual stack frames with fabricated ones.
As with previous versions, the Hijack Loader utilizes the Heaven’s Gate technique to execute 64-bit direct syscalls for process injection. Other modifications include a revision to the list of blocklisted processes, which now includes “avastsvc.exe,” a component of Avast Antivirus, to delay execution by five seconds.
The malware also incorporates two new modules: ANTIVM for detecting virtual machines and modTask for setting up persistence via scheduled tasks. These findings indicate that Hijack Loader continues to be actively maintained by its operators, who aim to complicate analysis and detection.
The updates to Hijack Loader demonstrate the ongoing efforts of its operators to refine its capabilities and evade detection, making it a persistent threat in the cybersecurity landscape.
SHELBY Malware Uses GitHub for Command-and-Control
Elastic Security Labs has detailed a new malware family known as SHELBY, which utilizes GitHub for command-and-control (C2), data exfiltration, and remote control. The activity is tracked as REF8685. The attack chain begins with a phishing email containing a ZIP archive with a .NET binary, which executes a DLL loader tracked as SHELBYLOADER (“HTTPService.dll”) via DLL side-loading.
The loader then initiates communication with GitHub for C2, extracting a 48-byte value from a file named “License.txt” in the attackers-controlled repository. This value is used to generate an AES decryption key and decipher the main backdoor payload (“HTTPApi.dll”), which is loaded into memory without leaving detectable artifacts on disk.
Source Link
