Security researchers at Zscaler ThreatLabz have identified a new malware loader called HijackLoader which is proving popular within the cybercriminal community. The malware is being used to infect devices with several different malware payloads, including DanaBot, SystemBC, and the RedLine Stealer. The Zscaler ThreatLabz team has yet to establish which initial access vectors are used to distribute the malware.
HijackLoader is a modular malware loader that uses a variety of modules for code injection and several techniques to evade detection, including conducting scans for processes associated with security solutions and delaying malicious processes by up to 40 seconds. The malware maintains persistence via a shortcut (LNK) file in the Windows Startup folder that points to a Background Intelligent Transfer (BITS) job created by the malware.
The malware was first identified in July 2023 and while the malware lacks advanced features and poor code, it does facilitate flexible code injection and execution, which is atypical with malware loaders. Despite its shortcomings, the malware is proving popular within the cybercriminal community and code improvements and further development are expected, especially since there is currently a void due to the disruption of the Emotet and QakBot botnets.
ZScaler has published a detailed analysis of the malware and has shared indicators of Compromise (IoC) here.