Monday, February 10, 2025
HomeCyber AttackHijackLoader Malware Attack Windows Via Weaponized PNG Image

HijackLoader Malware Attack Windows Via Weaponized PNG Image

Published on

SIEM as a Service

Follow Us on Google News

In a recent cybersecurity breakthrough, researchers have unveiled significant updates to the HijackLoader malware, a sophisticated modular loader notorious for delivering a variety of malicious payloads.

The malware has been updated to deploy threats such as Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT, showcasing an alarming versatility in its operations.

HijackLoader has evolved to incorporate a novel technique involving using a PNG image to decrypt and initiate the loading of subsequent stages.

PNG payload

This method is part of a broader strategy that includes dynamic API resolution, meticulous blocklist process checking, and evasion of user mode hooks, highlighting the malware’s increasing sophistication in avoiding detection.

The updates also introduce new modules designed to enhance the malware’s functionality. These include capabilities for creating processes, bypassing User Account Control (UAC), adding exclusions to Windows Defender, and writing files, thereby expanding the malware’s ability to compromise and control infected systems.

Detailed analysis of HijackLoader’s operational stages reveals intricate technical mechanisms.

The first and second stages of the malware involve complex loading processes, module utilization, and injection methods, underscoring the advanced nature of this threat.

Furthermore, the research provides insights into the prevalence of various malware families distributed by HijackLoader, offering a glimpse into the ecosystem of threats facilitated by this loader.

The distribution statistics indicate a diverse range of payloads, emphasizing the loader’s role in the broader cybercrime landscape.

To aid in the fight against this evolving threat, the cybersecurity community has been provided with Indicators of Compromise (IOCs) and a list of MITRE ATT&CK techniques associated with HijackLoader.

These resources are crucial for detecting and mitigating the impact of this malware, as it continues to pose a significant challenge to cybersecurity defences worldwide.

The continuous evolution of HijackLoader underscores the dynamic nature of cyber threats and the need for ongoing vigilance and innovation in cybersecurity measures.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...

Ransomware Payments Plunge 35% as More Victims Refuse to Pay

In a significant shift within the ransomware landscape, global ransom payments plummeted by 35%...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...