www.zscaler.com Open in urlscan Pro
2606:4700::6812:1d4a  Public Scan

URL: https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader
Submission: On September 11 via api from TR — Scanned from DE

Form analysis 6 forms found in the DOM

GET /search

<form action="/search" method="get" id="nav-search-form" accept-charset="UTF-8" role="search" aria-label="sitewide" __bizdiag="655103145" __biza="WJ__">
  <div class="js-form-item form-item js-form-type-textfield form-type-textfield js-form-item-query form-item-query form-no-label">
    <input placeholder="What are you looking for?" data-drupal-selector="edit-query" type="text" id="edit-query" name="query" value="" size="60" maxlength="128" class="form-text">
  </div>
  <div class="submit-wrapper"><i class="fas fa-times"></i>
    <div class="submit-container"><i class="fas fa-arrow-right"></i>
      <input title="Submit" data-drupal-selector="edit-submit" type="submit" id="edit-submit--2" name="op" value="Submit" class="button button--primary js-form-submit form-submit">
    </div>
  </div>
</form>

GET /search

<form action="/search" method="get" id="nav-search-form" accept-charset="UTF-8" role="search" aria-label="sitewide" __bizdiag="655103145" __biza="WJ__">
  <div class="js-form-item form-item js-form-type-textfield form-type-textfield js-form-item-query form-item-query form-no-label">
    <input placeholder="What are you looking for?" data-drupal-selector="edit-query" type="text" id="edit-query" name="query" value="" size="60" maxlength="128" class="form-text">
  </div>
  <div class="submit-wrapper"><i class="fas fa-times"></i>
    <div class="submit-container"><i class="fas fa-arrow-right"></i>
      <input title="Submit" data-drupal-selector="edit-submit" type="submit" id="edit-submit--2" name="op" value="Submit" class="button button--primary js-form-submit form-submit">
    </div>
  </div>
</form>

<form id="mktoForm_7140" data-formid="7140" class="subscription-form-blog-new  mkto-form-check mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
  style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" __bizdiag="1714217501" __biza="WJ__">
  <style type="text/css">
    .mktoForm .mktoButtonWrap.mktoRound .mktoButton {
      color: #fff;
      border: 1px solid #a3bee2;
      -webkit-border-radius: 5px;
      -moz-border-radius: 5px;
      border-radius: 5px;
      background-color: #779dd5;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#779dd5), to(#5186cb));
      background-image: -webkit-linear-gradient(top, #779dd5, #5186cb);
      background-image: -moz-linear-gradient(top, #779dd5, #5186cb);
      background-image: linear-gradient(to bottom, #779dd5, #5186cb);
      padding: 0.4em 1em;
      font-size: 1em;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:hover {
      border: 1px solid #45638c;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:focus {
      outline: none;
      border: 1px solid #45638c;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:active {
      background-color: #5186cb;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#5186cb), to(#779dd5));
      background-image: -webkit-linear-gradient(top, #5186cb, #779dd5);
      background-image: -moz-linear-gradient(top, #5186cb, #779dd5);
      background-image: linear-gradient(to bottom, #5186cb, #779dd5);
    }
  </style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
      <div class="mktoOffset" style="width: 10px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subBlog" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Single_OptIn_IP_Address__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Theme__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="newFirstName" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Google_Click_Id__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoRound" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="7140"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="306-ZEJ-256">
</form>

<form id="mktoForm_1944" class="marketo-form mkto-form-check mktoForm mktoHasWidth mktoLayoutLeft" data-formid="1944" novalidate="novalidate" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 833px;"
  __bizdiag="1714217501" __biza="WJ__">
  <style type="text/css">
    .mktoForm .mktoButtonWrap.mktoRound .mktoButton {
      color: #fff;
      border: 1px solid #a3bee2;
      -webkit-border-radius: 5px;
      -moz-border-radius: 5px;
      border-radius: 5px;
      background-color: #779dd5;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#779dd5), to(#5186cb));
      background-image: -webkit-linear-gradient(top, #779dd5, #5186cb);
      background-image: -moz-linear-gradient(top, #779dd5, #5186cb);
      background-image: linear-gradient(to bottom, #779dd5, #5186cb);
      padding: 0.4em 1em;
      font-size: 1em;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:hover {
      border: 1px solid #45638c;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:focus {
      outline: none;
      border: 1px solid #45638c;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:active {
      background-color: #5186cb;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#5186cb), to(#779dd5));
      background-image: -webkit-linear-gradient(top, #5186cb, #779dd5);
      background-image: -moz-linear-gradient(top, #5186cb, #779dd5);
      background-image: linear-gradient(to bottom, #5186cb, #779dd5);
    }
  </style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
      <div class="mktoOffset" style="width: 10px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subBlog" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Single_OptIn_IP_Address__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Theme__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="newFirstName" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Google_Click_Id__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoRound" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="1944"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="306-ZEJ-256">
</form>

<form data-formid="7140" class="subscription-form-blog-new  mkto-form-check mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
  style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" __bizdiag="138669999" __biza="WJ__"></form>

<form class="marketo-form mkto-form-check mktoForm mktoHasWidth mktoLayoutLeft" data-formid="1944" novalidate="novalidate"
  style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" __bizdiag="138669999" __biza="WJ__"></form>

Text Content

Skip to main content

This site uses JavaScript to provide a number of functions, to use this site
please enable JavaScript in your browser.

Search

 * CXO REvolutionaries

 * Careers

 * Partners

 * Support

 * Contact Us
   
   * Get in touch
   
   * 1-408-533-0288
   
   * Chat with us

 * Sign In
   
   * admin.zscaler.net
   * admin.zscalerone.net
   * admin.zscalertwo.net
   * admin.zscalerthree.net
   * admin.zscalertbeta.net
   * admin.zscloud.net
   * Zscaler Private Access


Request a demo



 * The Zscaler Experience
   
   
   YOUR WORLD, SECURED
   
   Experience the transformative power of zero trust.
   
   
   ZSCALER: A LEADER IN THE 2023 GARTNER® MAGIC QUADRANT™ FOR SECURITY SERVICE
   EDGE (SSE)
   
   Get the full report
   
   
   
   
   THE ZSCALER DIFFERENCE
   
    * Experience the World’s Largest Security Cloud
   
    * Customer Success Stories
   
    * Analyst Recognition
   
    * Machine Learning and AI at Zscaler
   
    * Reduce Your Carbon Footprint
   
   
   ZERO TRUST FUNDAMENTALS
   
    * What is Zero Trust?
   
    * What is Security Service Edge (SSE)?
   
    * What is Secure Access Service Edge (SASE)?
   
    * What is Zero Trust Network Access (ZTNA)?
   
    * What is Secure Web Gateway (SWG)?
   
    * What is Cloud Access Security Broker (CASB)?
   
    * What is a Cloud Native Application Protection Platform (CNAPP)?
   
    * Zero Trust Resources

 * Products & Solutions
   
   
   SECURE YOUR USERS
   
   Provide users with seamless, secure, reliable access to applications and
   data.
   
   
   SECURE YOUR WORKLOADS
   
   Build and run secure cloud apps, enable zero trust cloud connectivity, and
   protect workloads from data center to cloud.
   
   
   SECURE YOUR IOT AND OT
   
   Provide zero trust connectivity for IoT and OT devices and secure remote
   access to OT systems.
   
   
   PRODUCTS
   
   Transform your organization with 100% cloud native services
   
    * Secure Internet Access (ZIA)
   
    * Secure Private Access (ZPA)
   
    * Data Protection (CASB/DLP)
   
    * Digital Experience (ZDX)
   
    * Posture Control
   
    * Partner Integrations
      
      Industry and Market Solutions
   
   
   SOLUTION AREAS
   
   Propel your business with zero trust solutions that secure and connect your
   resources
   
    * Stop Cyberattacks
   
    * Protect Data
   
    * Zero Trust App Access
   
    * VPN Alternative
   
    * Accelerate M&A Integration
   
    * Optimize Digital Experiences
   
    * Zero Trust SD-WAN
   
    * Build and Run Secure Cloud Apps
   
    * Zero Trust Cloud Connectivity
   
    * Zero Trust for IoT/OT
   
    * Zero Trust for Private 5G
   
    * Find a product or solution
   
    * Find a product or solution

 * Platform
   
   
   ZERO TRUST EXCHANGE PLATFORM
   
   Learn how Zscaler delivers zero trust with a cloud native platform built on
   the world’s largest security cloud.
   
   
   
   
   TRANSFORM WITH ZERO TRUST ARCHITECTURE
   
   Propel your transformation journey
   
    * Secure Digital Transformation
   
    * Application Transformation
   
    * Network Transformation
   
    * Security Transformation
   
   
   SECURE YOUR BUSINESS GOALS
   
   Achieve your business and IT initiatives
   
    * Ensure Secure Business Continuity
   
    * Accelerate M&A and Divestitures
   
    * Recession-Proof Your Enterprise
   
    * Secure Your Hybrid Workforce
   
    * Download Zscaler Client Connector

 * Resources
   
   
   LEARN, CONNECT, AND GET SUPPORT.
   
   Explore tools and resources to accelerate your transformation and secure your
   world
   
   
   AMPLIFYING THE VOICES OF REAL-WORLD DIGITAL AND ZERO TRUST PIONEERS
   
   Visit now
   
   
   RESOURCE CENTER
   
   Stay up to date on best practices
   
    * Resource Library
   
    * Blog
   
    * Customer Success Stories
   
    * Webinars & Demos
   
    * Zpedia
   
   
   EVENTS & TRAININGS
   
   Find programs, certifications, and events
   
    * Upcoming Events
   
    * Zenith Live
   
    * Zscaler Academy
   
    * Interactive Zscaler Whiteboard Workshop
   
   
   SECURITY RESEARCH & SERVICES
   
   Get research and insights at your fingertips
   
    * ThreatLabz Analytics
   
   
   TOOLS
   
   Tools designed for you
   
    * Security Preview
   
    * Security and Risk Assessment
   
    * Security Advisory Updates
   
    * Disclose a Vulnerability
   
    * Executive Insights App
   
    * Ransomware Protection ROI Calculator
   
   
   COMMUNITY & SUPPORT
   
   Connect and find support
   
    * Customer Success Center
   
    * Zenith Community
   
    * CXO Revolutionaries
   
    * Zscaler Help Portal
   
    * Download Zscaler Client Connector
   
   
   INDUSTRY & MARKET SOLUTIONS
   
   See solutions for your industry and country
   
    * Public Sector
   
    * Healthcare
   
    * Financial Services
   
    * Education
   
    * See all

 * Company
   
   
   ABOUT ZSCALER
   
   Discover how it began and where it’s going
   
   
   PARTNERS
   
   Meet our partners and explore system integrators and technology alliances
   
   
   NEWS & ANNOUNCEMENTS
   
   Stay up to date with the latest news
   
   
   LEADERSHIP TEAM
   
   Meet our management team
   
   
   PARTNER INTEGRATIONS
   
   Explore best-in-class partner integrations to help you accelerate digital
   transformation
   
   
   INVESTOR RELATIONS
   
   See news, stock information, and quarterly reports
   
   
   ENVIRONMENTAL, SOCIAL & GOVERNANCE
   
   Learn about our ESG approach
   
   
   CAREERS
   
   Join our mission
   
   
   PRESS CENTER
   
   Find everything you need to cover Zscaler
   
   
   COMPLIANCE
   
   Understand our adherence to rigorous standards
   
   
   ZENITH VENTURES
   
   Understand our adherence to rigorous standards

 * Request a demo
   
    * Careers
   
    * Partners
   
    * Support
   
    * Contact Us
      
      * Get in touch
      
      * 1-408-533-0288
   
    * Sign In
      
      * admin.zscaler.net
      * admin.zscalerone.net
      * admin.zscalertwo.net
      * admin.zscalerthree.net
      * admin.zscalertbeta.net
      * admin.zscloud.net
      * Zscaler Private Access

Request a demo

THREATLABZ RESEARCH

September 08, 2023


TECHNICAL ANALYSIS OF HIJACKLOADER


A NEW EVASIVE MALWARE DOWNLOADER WITH A MODULAR ARCHITECTURE




INTRODUCTION

HijackLoader is a new malware loader, which has grown in popularity over the
past few months. Even though HijackLoader does not contain advanced features, it
is capable of using a variety of modules for code injection and execution since
it uses a modular architecture, a feature that most loaders do not have. Based
on our telemetry, we have observed HijackLoader being used to load different
malware families such as Danabot, SystemBC and RedLine Stealer.

In this blog, we examine the inner workings of HighjackLoader, from its
initialization to modular design to anti-analysis techniques.

 


KEY TAKEAWAYS

 * HijackLoader is a new malware loader that ThreatLabz first observed in July
   2023.
 * The loader is being leveraged to drop numerous malware families, including
   Danabot, SystemBC, and RedLine Stealer, amplifying its potential threat.
 * HijackLoader utilizes syscalls to evade monitoring from security solutions,
   detects specific processes based on an embedded blocklist, and delays code
   execution at different stages.
 * The malware uses embedded modules that facilitate flexible code injection and
   execution - a feature uncommon among traditional loaders.

 


TECHNICAL ANALYSIS

The following sections describe each stage and component of HijackLoader. It
should be noted that the analysis focuses on one of the many samples observed by
ThreatLabz. As a result, certain parts of the analysis might differ from sample
to sample (e.g. structure field offsets).

 


FIRST STAGE LOADER


INITIALIZATION PHASE

Upon execution, HijackLoader starts by executing a modified (hooked) function of
the Windows C Runtime (CRT), which points to the entry point of the first stage.

During its initialization phase, the loader determines if the final payload has
been embedded in the binary or if it needs to download it from an external
server. To achieve this, HijackLoader includes an encrypted configuration, which
stores information such as:

 * A DWORD hash value to detect the next stage (e.g., the ti module described
   later in the text) from the modules table.
 * Windows API hashes for dynamic loading.
 * An array of DWORDs, which are used to determine if the loader has to download
   the final payload. The offsets for these fields might differ from sample
   to sample.
 * Parameters for several Windows API functions. For example, the constant
   PAGE_EXECUTE_READWRITE (0x40) for VirtualProtect.
 * A DWORD seed value, which is used for deriving a string based on the
   compromised host’s username.
 * A DWORD value, which is used for validating the payload, when loaded from
   disk, by searching it in the payload’s data. 
 * A DWORD value, which is used for detecting all blobs of the encrypted
   payload.
 * An offset for the payload URL (if any) along with an XOR key to decrypt it.
 * A blocklist of process name hashes (described later in Table 1).

The above configuration block is detected by using hardcoded offsets and then
decrypted either with a bitwise XOR or ADD operation. The offsets for the
configuration block detection (including the offset of the encryption key) might
differ from sample to sample.

 


ANTI-ANALYSIS

The first stage includes a limited set of evasion techniques:

 * Dynamic loading of Windows API functions by leveraging a custom API hashing
   technique.
 * Performing an HTTP connectivity test to a legitimate website (e.g.
   mozilla.org). If a connection cannot be made, then HijackLoader does not
   proceed with the execution and enters an infinite loop until a connection
   is made.
 * Delaying of code execution at different stages.
 * The first stager checks for the presence of a set of running processes.
   Depending on which ones are present, it executes different functionality. In
   Table 1, we summarize the corresponding functionality for each process.

Table 1 - HijackLoader blocklist of processes PROCESS NAME PRODUCT NAME
DESCRIPTION avastsvc Avast Antivirus Delay execution for 40 seconds. avgsvc AVG
Internet Security Delay execution for 40 seconds. a2service Emsisoft
Anti-Malware Skip the connectivity test. wrsa Webroot SecureAnywhere Skip the
connectivity test. msmpeng Microsoft Windows Defender No behavioral code change.

 


SECOND STAGE LOADING

HijackLoader locates the payload of the second stage (i.e., the ti module) by
following the steps below:

 1. Parses the decrypted configuration block, which was obtained from the
    initialization phase. Then, HijackLoader locates the encrypted payload URL
    and decrypts it using a bitwise XOR operation.
 2. Downloads the payload and validates it by checking for the presence of the
    signature (included in the configuration block) in its data. If the
    validation passes, it writes it to disk.
 3. Searches for encrypted blobs using the second marker. Each marker represents
    the start of an encrypted blob along with the size of the blob (which is
    stored before each occurrence). Moreover, the XOR key is located after the
    offset of the first encrypted blob.
 4. Once all encrypted blobs have been extracted, they are concatenated together
    and decrypted with the XOR key.
 5. Finally, the decrypted payload is decompressed using the LZNT1 algorithm.

Pseudocode for this process is shown in Figure 1.



Figure 1: HijackLoader second stage code to download and execute payloads

The same procedure is followed when the payload is loaded from disk. The only
difference is that HijackLoader uses an additional pattern (from the
configuration block) for finding the start offset of the embedded payload
(Figure 2).



Figure 2: HijackLoader second stage payload execution from a local file

The decrypted payload includes two components:

 * A modules table - This includes the HijackLoader modules along with their
   settings and the final payload (e.g. SystemBC).
 * Main shellcode and settings, or a list of optional files to use for
   DLL hijacking.

Next, the first stager needs to load and execute the next stage. This is
accomplished by obtaining the file path of the DLL to patch (e.g. mshtml.dll)
and a table for the modules of HijackLoader that is included in the decrypted
payload. 

Then, HijackLoader loads the specified DLL and locates the next stager (ti
module) after searching for its hash (included in the configuration block) in
the modules table. Lastly, it copies the module’s data into the code section of
the legitimate DLL and executes it.

NOTE: The file paths and names of files that are written to disk by HijackLoader
are generated based on the username of the compromised host.

 


MODULES

HijackLoader’s modules assist with the code injection and execution process of
the final payload. The table below shows the modules identified by ThreatLabz,
along with the corresponding CRC32 values and functionality.

 

Table 2 - HijackLoader modules observed by ThreatLabz CRC32 MODULE NAME
DESCRIPTION 0x78b783ca AVDATA Blocklist of security products’ process names. The
blocklist includes the CRC32 value of each process name. 0x757c9405 ESAL Clears
out the shellcode data and executes the final payload. 0x6364a15b ESAL64 64-bit
version of the ESAL module. 0xe7794e15 ESLDR Assists with code injection of the
main instrumentation shellcode. 0x4fa01ac5 ESLDR64 64-bit version of ESLDR
module. 0x93eb1cb1 ESWR Clears out the shellcode data and executes the rshell
module. 0x699d0c82 FIXED Legitimate executable file (e.g., QQPCMgr), which is
used for injecting code into its process.

0xfea2e0eb


  LauncherLdr Decrypts the stored modules table file from disk. We have only
seen the 64-bit version of this module being included. 0xf4f141c2 LauncherLdr64
64-bit version of LauncherLdr module. 0x74984889 rshell Relocates, parses and
executes the final payload. 0x7b37e907 rshell64 64-bit version of rshell module.
0x3ee477f1 ti Executed after the first stage. Performs code injection for other
stages and modules. 0x2ab77db8 ti64 64-bit version of ti module. 0x4eace798
tinystub Empty executable file, which is used for patching during the final
payload execution process. 0xa1d724fc tinyutilitymodule.dll Overwrites the PE
headers of a specified file with null bytes. 0x263596ba tinyutilitymodule64.dll
64-bit version of tinyutilitymodule.dll module. 0x1ae7700a Unknown Unknown
module. Not included in any of the observed binaries. Based on the analyzed
code, we assess that it includes a file path along with an optional parameter.
The current running file is copied into this new location and executed along
with the specified parameter. N/A Main instrumentation shellcode Shellcode
injected into the specified target process from the ti module. This module is
responsible for executing the final payload.

 

Moreover, each module has a structure that holds information such as:

 * Module name
 * Module offset in the table
 * Module size

Due to the quality of the code and because the rest of the structure fields are
not being used, ThreatLabz was not able to identify the purpose for the rest of
the structure members. However, ThreatLabz assesses that the following
information might be included as well:

 * Module timestamp
 * Internal names (e.g., rLdr64 for the rshell module)

From the modules mentioned above, our analysis focused on the ti and the main
instrumentation shellcode modules since these two implement the majority of the
core functionality for HijackLoader.

 


TI MODULE

ANTI-ANALYSIS

The anti-analysis techniques are the same as presented in the previous section,
but there are two notable differences:

 1. The developers have included the Heaven's gate technique.
 2. The process blocklist remains the same but the code behavior is different as
    can be seen in Table 3.

Table 3 - Process blocklist in the HijackLoader ti module PROCESS NAME
DESCRIPTION avastsvc
 * Adds persistence by creating a shortcut (LNK) file and saving the current
   executable under a random filename in the Windows folder %AppData%. NOTE: A
   flag, which is set in the decrypted payload at offset 4 is required too.
 * Generates a random environment variable name with seed 0xE1ABD1C2 and a new
   random filename. This is used at a later stage for storing the modules table.
 * Writes to disk a legitimate executable file (the FIXED module) and uses it
   for code injection at a later stage.

avgsvc Same as avastsvc a2service No behavioral code change. wrsa No behavioral
code change. msmpeng No behavioral code change.

 

EXECUTION PHASE

The primary role of the ti module is to inject the main instrumentation module,
which is responsible for loading the final stage. 

The ti module executes the next stage by using one of the following methods:

 * Re-executes the initial file from a new location and parameter (if the module
   with the CRC32 value 0x1ae7700a exists).
 * Creates a new process (specified in the configuration), maps the hijacked
   file into it (e.g. mshtml), and injects the main instrumentation shellcode.
   In addition (depending on the configuration flags), it executes the FIXED
   module, which might be used later for code injection.
 * HijackLoader might include an additional set of files, which can be used for
   DLL hijacking. In this case, it writes them to disk along with the encrypted
   payload (from stage 1) and executes the hijacked executable.
 * Executes the ESLDR module, which injects the main instrumentation shellcode.

 


MAIN INSTRUMENTATION MODULE

The main instrumentation module contains the core functionality for loading and
executing the final stage of the infection chain.

 

ANTI-ANALYSIS

The anti-analysis techniques remain the same with the previous aforementioned
stages. However, one key difference is the deployment of the AVDATA module. The
AVDATA module contains a set of process names and if any of them are detected
then the code behavior might change. The process names observed by ThreatLabz
and their CRC32 values are presented in the table below.

 

Table 4 - Process name blocklist in the HijackLoader AVDATA module CRC32 PRODUCT
NAME PROCESS NAME 0xb02ef94 Avast Antivirus avastsvc.exe 0xc0bfbba0 ESET Smart
Security ekrn.exe 0x40cb21d3 Kaspersky AntiVirus avp.exe 0xc0fe273f Symantec
Event Manager ccsvchst.exe 0x9e0539f6 Norton 360 n360.exe 0xe6ef3ab Avira
avguard.exe 0x8e9e8add AVG Internet Security avgsvc.exe 0x923d5594 AVG Internet
Security avgui.exe 0xce1599c2 BitDefender AntiVirus vsserv.exe 0x83ed98a3
BitDefender AntiVirus epsecurityservice.exe 0xd50dea99 TrendMicro AntiVirus
coreserviceshell.exe 0x2fba3706 McAfee Antivirus mcshield.exe 0x1235ed11 McAfee
Antivirus mctray.exe 0x3a39ba4 Norton Internet Security nis.exe 0xe981e279
Norton Internet Security ns.exe 0x19e8fad2 BitDefender Antivirus bdagent.exe
0x5f1c2fc2 Trend Micro Security uiseagnt.exe 0xc68b2fd8 ByteFence Anti-Malware
bytefence.exe 0xefba2118 McAfee Security Scan Plus mcuicnt.exe 0xfeb42b97
Internet Security Essentials vkise.exe 0x6274fa64 Comodo Internet Security
cis.exe 0x4420ef23 Malwarebytes Anti-Malware mbam.exe 0x31c100e7 360 Safe Guard
zhudongfangyu.exe 0x219b199a 360 Total Security 360tray.exe 0x64760001 N/A
Unknown 0x27873423 N/A Unknown 0x8bdc7f5b N/A Unknown

 

Each process block in the AVDATA module has the following structure:

struct avdata_process_block
{
  unsigned int CRC32; // CRC32 value of process.
  unsigned char Execution_Type; // Code execution method for the final payload.
  unsigned char LNK_Persistence_Flag; // Adds persistence with an LNK shortcut
file.
  unsigned char unknown; // Not used.
  unsigned char unknown_2; // Not used.
  int BITS_Persistence_Flag; // Adds persistence by creating a BITS job.
  int unknown_3; // Not used.
  int unknown_4; // Not used.
  int Injection_Type; // Defines what code injection method to use.
  int overwrite_pe_headers_with_junk_Flag; // Used during module deployment.
};

 

PERSISTENCE

As described in the structure above, persistence on the compromised host is
established via the following methods:

 * Creation of a BITS job, which points to the executable file.
 * Creation of a shortcut file (LNK) in the Windows Startup folder. The
   shortcut’s path is added in a new BITS job and points to the executable file.

FINAL PAYLOAD DECRYPTION AND EXECUTION

The embedded payload is decrypted using a bitwise XOR operation with the key
being derived from the first 200 bytes. This can be easily represented in Python
as follows:

enc_data = data[200:]
key = data[:200]
dec = bytearray()
for idx in range(0, len(enc_data), 4):
    dec_int = struct.unpack("<L", enc_data[idx:idx+4])[0] ^ struct.unpack("<L",
key[idx%200:idx%200 + 4])[0]
    dec.extend(dec_int.to_bytes((dec_int .bit_length() + 7) //
8, byteorder='little'))

HijackLoader’s shellcode then proceeds with the injection or direct execution of
the decrypted payload. The technique the shellcode uses depends on a number of
different factors such as the payload’s file type and a flag, which is stored in
the settings and indicates the injection method to use. In the table below, we
describe each case along with a description of the action taken.

 

Table 5 - HijackLoader Code Injection Methods INJECTION TYPE DESCRIPTION DLL
file type. In the case of a DLL file type, the shellcode parses the PE file and
leverages the ESLR module, which erases the shellcode data and executes directly
the entry point of the DLL. Code injection when the injection flag is set to 3
and PE relocation is required (Method 1).

Creates a process of the FIXED module and writes to disk a file, which includes
various information such as:

 * Pointer to the address of the rshell module data.
 * Process and thread handles of the created process.
 * Pointer to the address of the final payload.

Then it executes the ESWR module, which injects the rshell module into the
created process. As a result, the rshell module reads the written file and
therefore the data of the final payload. After relocating and parsing the file,
HijackLoader executes the final payload. Code injection when the injection flag
is set to 3 and PE relocation is required (Method 2).
 * Creates a process of the FIXED module, loads the tinystub module, and adds a
   new PE section to it.
 * The patched stub module is written to the disk. It is important to note that
   HijackLoader writes the data without including the “MZ” string. Instead, it
   delays the execution for a few seconds and then writes to the file the MZ
   signature byte-by-byte.
 * Finally, it proceeds with the execution of the final payload as described in
   the previous method.

Code injection when the injection flag is set to 3 and no PE relocation is
required (Method 1).

The implementation is similar to the previous two cases. However, there are a
few notable differences:

 * HijackLoader adds a new section in the final payload file. This new section
   has the rshell module.
 * In the case of a .NET file, HijackLoader creates an msbuild process instead
   of using the FIXED module.
 * The code searches for certain values in the rshell module and replaces them
   with the same values that are used in the file, which is written to disk
   (i.e., egg-hunting).
 * In order to evade detection by security products, it writes random data to
   the injected process.

Code injection when the injection flag is set to 3 and no PE relocation is
required (Method 2). Same code injection technique as with the previous case,
but the data injection takes place with timing delays. Code injection when the
injection flag is set to 3 with a .NET PE file.
 * Creates an msbuild process, and injects the rshell module and the payload. 
 * Searches for certain values in the rshell module and replaces them to point
   to the address of the decrypted payload along with the injection type and the
   payload size. NOTE: No file is written on disk.
 * Writes random data in the injected process.

Code injection when the injection flag is set to 4.
 * Creates an msbuild process and injects the rshell module and the payload. 
 * Searches for certain values in the rshell module and replaces them to point
   to the address of the decrypted payload along with the injection type and the
   payload size. NOTE: No file is written on disk.
 * Writes random data in the injected process.

 

 


CONCLUSION

In summary, HijackLoader is a modular loader with evasion techniques, which
provides a variety of loading options for malicious payloads. Moreover, it does
not have any advanced features and the quality of the code is poor. However,
considering the increasing popularity of HijackLoader, we expect code
improvements and further usage from more threat actors, especially to fill the
void left by Emotet and Qakbot.

In addition to staying on top of these threats, Zscaler's ThreatLabz team
continuously monitors for new threats and shares its findings with the wider
community.

 


CLOUD SANDBOX

Zscaler’s multilayered cloud security platform detects indicators related to
HijackLoader at various levels.




 


INDICATORS OF COMPROMISE (IOCS)


HOST INDICATORS

SHA256 Hash DESCRIPTION
7bd39678ac3452bf55359b44c5192b79412ce61a82cd72eef88f91aba5792ee6 HijackLoader
6b1621bded06b082f83c731319c9deb2fdf751a4cec1d1b2b00ab9e75f4c29ca HijackLoader
e67790b394f5238908fcc326a9db940b200d9b50cbb45f0bfa94038db50beeae HijackLoader
693cace37b4b6fed2ca67906c7a4b1c11273110561a207a222aa4e62fb4a184a HijackLoader
04c0a4f3b5f787a0c9fa8f6d8ef19e01097185dd1f2ba40ae4bbbeca9c3a1c72 HijackLoader

 


NETWORK INDICATORS

IOC DESCRIPTION

hxxps://www.4sync[.]com/web/directDownload/KFtZys

VO/4jBKM7R0.baa89a7b43a7b73227f22ae561718f7f

Payload URL, which HijackLoader uses to load Danabot.

hxxps://geupdate-service[.]bond/img/3344379399.png

Payload URL, which HijackLoader uses to load RedLine stealer.

 


REFERENCES

 * "Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma
   Infostealers" by Natalie Zargarov

 * Security Research
 * Threatlabz Research

 * 
 * 
 * 
 * 
 * 


AUTHOR


NIKOLAOS PANTAZOPOULOS


RECOMMENDED FOR YOU

RISE IN TECH-SUPPORT SCAMS ABUSING WINDOWS ACTION CENTER NOTIFICATIONS

STEAL-IT CAMPAIGN

A LOOK INTO DUCKTAIL

JANELARAT: REPURPOSED BX RAT VARIANT TARGETING LATAM FINTECH


GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX

*












Subscribe
Subscription confirmed. More of the latest from Zscaler, coming your way soon!

By submitting the form, you are agreeing to our privacy policy.

THE ZSCALER EXPERIENCE

THE ZSCALER EXPERIENCE



Learn about:

Your world, secured.

Zero Trust

Security Service Edge (SSE)

Secure Access Service Edge (SASE)

Zero Trust Network Access (ZTNA)

Secure Web Gateway (SWG)

Cloud Access Security Broker (CASB)

Cloud Native Application Protection Platform (CNAPP)

PRODUCTS & SOLUTIONS

PRODUCTS & SOLUTIONS



Secure Your Users

Secure Your Workloads

Secure Your IoT and OT

Secure Internet Access (ZIA)

Secure Private Access (ZPA)

Data Protection (CASB/DLP)

Digital Experience (ZDX)

Posture Control

Industry & Market Solutions

Partner Integrations

Zscaler Client Connector

PLATFORM

PLATFORM



Zero Trust Exchange Platform

Secure Digital Transformation

Application Transformation

Network Transformation

Security Transformation

RESOURCES

RESOURCES



Resource Library

Security Preview

Security & Risk Assessment

ThreatLabz Analytics & Insights

Upcoming Events

Blog

Zscaler Academy

CXO Revolutionaries

Zpedia

Ransomware Protection ROI Calculator

POPULAR LINKS

POPULAR LINKS



Pricing & Plans

About Zscaler

Leadership Team

Career Opportunities

Find or Become a Partner

Customer Success Center

Investor Relations

Press Center

News & Announcements

ESG

Compliance

Contact Zscaler

Zscaler is universally recognized as the leader in zero trust. Leveraging the
largest security cloud on the planet, Zscaler anticipates, secures, and
simplifies the experience of doing business for the world's most established
companies.

 * English
 * * Français
   * Deutsch
   * Italiano
   * 日本語
   * Castellano - Mexico
   * Castellano - España


*












Subscribe

Thanks for subscribing

Sitemap

Privacy

Legal

Security

Impressum

© 2023 Zscaler, Inc.  All rights reserved. Zscaler™ and other trademarks listed
at zscaler.com/legal/trademarks are either (i) registered trademarks or service
marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States
and/or other countries. Any other trademarks are the properties of their
respective owners.

Zscaler uses cookies to personalize content and ads, to provide social media
features and to analyze our traffic. We also share information about your use of
our site with our social media, advertising and analytics partners.Please review
our Cookies Policy for more information.

Cookies Settings Accept Cookies