A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer.
First observed by the company in July 2023, the malware employs a number of techniques to fly under the radar. This involves using syscalls to evade monitoring from security solutions, monitoring processes associated with security software based on an embedded blocklist, and putting off code execution by as much as 40 seconds at different stages.
Persistence on the compromised host is achieved by creating a shortcut file (LNK) in the Windows Startup folder and pointing it to a Background Intelligent Transfer Service (BITS) job.
The disclosure comes as Flashpoint disclosed details of an updated version of an information-stealing malware known as RisePro that was previously distributed via a pay-per-install (PPI) malware downloader service dubbed PrivateLoader.
It also follows the discovery of a new information stealer written in Node.js that’s packaged into an executable and distributed via malicious Large Language Model (LLM)-themed Facebook ads and bogus websites impersonating ByteDance’s CapCut video editor.
This is the second time fake CapCut websites have been observed delivering stealer malware. In May 2023, Cyble uncovered two different attack chains that leveraged the software as a lure to trick unsuspecting users into running Offx Stealer and RedLine Stealer.
The developments paint a picture of a constantly evolving cybercrime ecosystem, with stealer infections acting as a primary initial attack vector used by threat actors to infiltrate organizations and conduct post-exploitation actions.
“It also attempts to reduce its traceability and maintain a foothold on the compromised system. The malware appears to be well-designed for data theft and exfiltration, while evading detection by security tools as well as dynamic analysis sandboxes.”
Source: https://thehackernews.com/