HijackLoader进化：研究人员解码最新的逃避方法

The threat actors behind a loader malware called HijackLoader have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling.

一个名为HijackLoader的加载器恶意软件的威胁行为者已经增加了新的防御逃避技术，因为该恶意软件继续被其他威胁行为者越来越多地用于传递额外的有效载荷和工具。

"The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe," CrowdStrike researchers Donato Onofri and Emanuele Calvelli said in a Wednesday analysis. "This new approach has the potential to make defense evasion stealthier."

“恶意软件开发人员使用了标准的进程空壳技术，再加上由父进程写入管道激活的附加触发器，”CrowdStrike的研究人员Donato Onofri和Emanuele Calvelli在周三的分析中说。“这种新方法有潜力使防御逃避更加隐秘。”

HijackLoader was first documented by Zscaler ThreatLabz in September 2023 as having been used as a conduit to deliver DanaBot, SystemBC, and RedLine Stealer. It's also known to share a high degree of similarity with another loader known as IDAT Loader.

HijackLoader最早由Zscaler ThreatLabz于2023年9月记录，当时它被用作传递DanaBot、SystemBC和RedLine Stealer的通道。它还被认为与另一个名为IDAT Loader的加载器有很高的相似性。

Both the loaders are assessed to be operated by the same cybercrime group. In the intervening months, HijackLoader has been propagated via ClearFake and put to use by TA544 (aka Narwhal Spider, Gold Essex, and Ursnif Gang) to deliver Remcos RAT and SystemBC via phishing messages.

这两个加载器被评估为由同一网络犯罪组织操作。在随后的几个月里，HijackLoader通过ClearFake传播，并被TA544（又名Narwhal Spider、Gold Essex和Ursnif Gang）使用，通过钓鱼消息传递Remcos RAT和SystemBC。

"Think of loaders like wolves in sheep's clothing. Their purpose is to sneak in, introduce and execute more sophisticated threats and tools," Liviu Arsene, director of threat research and reporting at CrowdStrike, said in a statement shared with The Hacker News.

“想象一下加载器就像穿羊皮的狼。它们的目的是悄悄进入，引入并执行更复杂的威胁和工具，”CrowdStrike的威胁研究和报告主任Liviu Arsene在与The Hacker News分享的一份声明中说。

"This recent variant of HijackLoader (aka IDAT Loader) steps up its sneaking game by adding and experimenting with new techniques. This is similar to enhancing its disguise, making it stealthier, more complex, and more difficult to analyze. In essence, they're refining their digital camouflage."

“HijackLoader（又名IDAT Loader）的这个最新变体通过添加和尝试新技术来提升其潜行能力。这类似于增强其伪装，使其更隐秘、更复杂且更难分析。本质上，它们正在完善其数字伪装。”

The starting point of the multi-stage attack chain is an executable ("streaming_client.exe") that checks for an active internet connection and proceeds to download a second-stage configuration from a remote server.

多阶段攻击链的起点是一个可执行文件（"streaming_client.exe"），该文件检查是否有活动的互联网连接，并继续从远程服务器下载第二阶段的配置。

The executable then loads a legitimate dynamic-link library (DLL) specified in the configuration to activate shellcode responsible for launching the HijackLoader payload via a combination of process doppelgänging and process hollowing techniques that increases the complexity of analysis and the defense evasion capabilities.

然后，可执行文件加载在配置中指定的合法动态链接库（DLL），以激活负责通过进程重复和进程空壳技术启动HijackLoader有效载荷的Shellcode，从而增加了分析的复杂性和防御逃避能力。

"The HijackLoader second-stage, position-independent shellcode then performs some evasion activities to bypass user mode hooks using Heaven's Gate and injects subsequent shellcode into cmd.exe," the researchers said.

“HijackLoader的第二阶段，位置无关的Shellcode然后执行一些逃避活动，以绕过使用Heaven's Gate和将后续Shellcode注入到cmd.exe的用户模式钩子。”研究人员说。

"The injection of the third-stage shellcode is accomplished via a variation of process hollowing that results in an injected hollowed mshtml.dll into the newly spawned cmd.exe child process."

第三阶段Shellcode的注入是通过进程空壳的变体完成的，导致将注入的空壳mshtml.dll注入到新生成的cmd.exe子进程中。

Heaven's Gate refers to a stealthy trick that allows malicious software to evade endpoint security products by invoking 64-bit code in 32-bit processes in Windows, effectively bypassing user-mode hooks.

Heaven's Gate指的是一种隐秘的技巧，允许恶意软件通过在Windows的32位进程中调用64位代码来规避端点安全产品，从而有效地绕过用户模式钩子。

One of the key evasion techniques observed in HijackLoader attack sequences is the use of a process injection mechanism called transacted hollowing, which has been previously observed in malware such as the Osiris banking trojan.

HijackLoader攻击序列中观察到的关键逃避技术之一是使用一种称为transacted hollowing的进程注入机制，此前在恶意软件中已经观察到，如Osiris银行木马。

"Loaders are meant to act as stealth launch platforms for adversaries to introduce and execute more sophisticated malware and tools without burning their assets in the initial stages," Arsene said.

“加载器的目的是充当对手引入和执行更复杂的恶意软件和工具的隐秘启动平台，而不会在初始阶段暴露他们的资产，”Arsene说。

"Investing in new defense evasion capabilities for HijackLoader (aka IDAT Loader) is potentially an attempt to make it stealthier and fly below the radar of traditional security solutions. The new techniques signal both a deliberate and experimental evolution of the existing defense evasion capabilities while also increasing the complexity of analysis for threat researchers."

为HijackLoader（又名IDAT Loader）投资新的防御逃避能力可能是试图使其更隐秘，避开传统安全解决方案的雷达。这些新技术既表示对现有防御逃避能力的有意和实验性演变，同时也增加了威胁研究人员的分析复杂性。

原文始发于微信公众号（知机安全）：HijackLoader进化：研究人员解码最新的逃避方法