Back

HijackLoader Updates

May 7, 2024, 8:48 a.m.

Tags

rat
evasion
rhadamanthys
stealer
remcos
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
amadey
lumma stealer
injection
modular
racoon stealer v2
malware loader
meta stealer

External References

https://www.zscaler.com/

https://otx.alienvault.com/

Description

HijackLoader, also known as IDAT Loader, is a modular malware loader capable of executing multiple payloads. It utilizes a variety of modules for code injection, execution, and evasion techniques. This report analyzes the updated version of HijackLoader, which includes new modules for bypassing Windows Defender Antivirus, User Account Control, inline API hooking, and employing process hollowing. The report delves into the technical details of HijackLoader's delivery method, involving the use of a PNG image for loading the next stage, as well as the various malware families it has been observed distributing, such as Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT.

Date

Published Created Modified
May 7, 2024, 8:36 a.m. May 7, 2024, 8:36 a.m. May 7, 2024, 8:48 a.m.

Indicators

discussiowardder.website

fcadcee5388fa2e6d4061c7621bf268cb3d156cb879314fa2f518d15f5fa2aa2

f37b158b3b3c6ef9f6fe08d0056915fc7e5a220d1dabb6a2b62364ae54dca0f1

e0a4f1c878f20e70143b358ddaa28242bac56be709b5702f3ad656341c54fb76

d95e82392d720911f7eb5d8856b8ccd2427e51645975cdf8081560c2f6967ffb

cf42af2bdcec387df84ba7f8467bbcdad9719df2c524b6c9b7fffa55cfdc8844

c215c0838b1f8081a11ff3050d12fcfe67f14442ed2e18398f0c26c47931df44

9b15cb2782f953090caf76efe974c4ef8a5f28df3dbb3eff135d44306d80c29c

7a8db5d75ca30164236d2474a4719046a7814a4411cf703ffb702bf6319939d7

56fd2541a36680249ec670d07a5682d2ef5a343d1feccbcf2c3da86bd546af85

1fbf01b3cb97fda61a065891f03dca7ed9187a4c1d0e8c5f24ef0001884a54da

Attack Patterns

Meta Stealer

Racoon Stealer v2

Amadey - S1025

Lumma Stealer

Remcos

Rhadamanthys

T1548.001

T1547.001

T1562.001

T1057

T1055

T1140