Hijack Loader更新：新版恶意软件采用进程空壳技术

A newer version of a malware loader called Hijack Loader has been observed incorporating an updated set of anti-analysis techniques to fly under the radar.

一种名为Hijack Loader的恶意软件加载器的新版本已被观察到采用更新的一组反分析技术，以避开监控。

"These enhancements aim to increase the malware's stealthiness, thereby remaining undetected for longer periods of time," Zscaler ThreatLabz researcher Muhammed Irfan V A said in a technical report.

"这些增强旨在增加恶意软件的隐蔽性，从而在更长时间内保持不被检测，"Zscaler ThreatLabz研究员Muhammed Irfan V A在一份技术报告中表示。

"Hijack Loader now includes modules to add an exclusion for Windows Defender Antivirus, bypass User Account Control (UAC), evade inline API hooking that is often used by security software for detection, and employ process hollowing."

"Hijack Loader现在包括用于添加Windows Defender防病毒软件排除、绕过用户账户控制（UAC）、规避内联API挂钩（通常被安全软件用于检测）以及利用进程空壳的模块。"

Hijack Loader, also called IDAT Loader, is a malware loader that was first documented by the cybersecurity company in September 2023. In the intervening months, the tool has been used as a conduit to deliver various malware families.

Hijack Loader，也称为IDAT Loader，是一种恶意软件加载器，2023年9月首次被这家网络安全公司记录。在此期间，该工具被用作传送各种恶意软件系列的管道。

This includes Amadey, Lumma Stealer (aka LummaC2), Meta Stealer, Racoon Stealer V2, Remcos RAT, and Rhadamanthys.

其中包括Amadey、Lumma Stealer（又名LummaC2）、Meta Stealer、Racoon Stealer V2、Remcos RAT和Rhadamanthys。

What makes the latest version notable is the fact that it decrypts and parses a PNG image to load the next-stage payload, a technique that was first detailed by Morphisec in connection with a campaign targeting Ukrainian entities based in Finland.

最新版本的显著之处在于解密和解析PNG图像以加载下一阶段的有效载荷，这是Morphisec首次在与针对芬兰乌克兰实体的活动相关联的活动中详细说明的技术。

The loader, per Zscaler, comes fitted with a first-stage, which is responsible for extracting and launching the second-stage from a PNG image that's either embedded into it or downloaded separately based on the malware's configuration.

根据Zscaler的说法，该加载器配备了第一阶段，负责从PNG图像中提取和启动第二阶段，后者嵌入其中或根据恶意软件的配置分别下载。

"The main purpose of the second stage is to inject the main instrumentation module," Irfan explained. "To increase stealthiness, the second stage of the loader employs more anti-analysis techniques using multiple modules."

"第二阶段的主要目的是注入主要的工具模块，"Irfan解释道。"为了增加隐蔽性，加载器的第二阶段使用了更多的反分析技术，使用多个模块。"

Hijack Loader artifacts detected in the wild in March and April 2024 also incorporate as many as seven new modules to help create new processes, perform UAC bypass, and add a Windows Defender Antivirus exclusion via a PowerShell command.

2024年3月和4月在野外检测到的Hijack Loader工件还包含多达七个新模块，以帮助创建新进程、执行UAC绕过，并通过PowerShell命令添加Windows Defender防病毒软件排除。

Adding to the malware's stealth is its use of the Heaven's Gate technique to circumvent user mode hooks, as previously disclosed by CrowdStrike in February 2024.

该恶意软件使用Heaven's Gate技术来规避用户模式钩子，正如CrowdStrike在2024年2月先前披露的那样。

"Amadey has been the most commonly delivered family by HijackLoader," Irfan said. "The loading of the second stage involves the use of an embedded PNG image or PNG image downloaded from the web. Additionally, new modules have been integrated into HijackLoader, enhancing its capabilities and making it even more robust."

"Amadey已成为HijackLoader最常传送的系列，"Irfan表示。"加载第二阶段涉及使用嵌入式PNG图像或从网络下载的PNG图像。此外，已将新模块集成到HijackLoader中，增强了其功能并使其更加强大。"

The development comes amid malware campaigns distributing different malware loader families like DarkGate, FakeBat (aka EugenLoader), GuLoader via malvertising and phishing attacks.

这一发展发生在恶意软件活动中分发不同恶意软件加载器系列（如DarkGate、FakeBat（又名EugenLoader）、通过恶意广告和钓鱼攻击分发的GuLoader）的背景下。

It also follows the emergence of an information stealer called TesseractStealer that's distributed by ViperSoftX and utilizes the open-source Tesseract optical character recognition (OCR) engine to extract text from image files.

此外，还出现了一种名为TesseractStealer的信息窃取者，由ViperSoftX分发，并利用开源Tesseract光学字符识别（OCR）引擎从图像文件中提取文本。

"The malware focuses on specific data related to credentials and cryptocurrency wallet information," Broadcom-owned Symantec said. "Next to TesseractStealer, some of the recent ViperSoftX runs have also been observed to drop another payload from the Quasar RAT malware family."

"该恶意软件专注于与凭证和加密货币钱包信息有关的特定数据，"Broadcom旗下的Symantec表示。"除了TesseractStealer外，最近的一些ViperSoftX运行还观察到从Quasar RAT恶意软件系列中下载另一个有效载荷。"

参考资料

[1]https://thehackernews.com/2024/05/hijack-loader-malware-employs-process.html

关注我们

欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：Hijack Loader更新：新版恶意软件采用进程空壳技术