Full Report
Cybersecurity researchers have discovered an updated version of a malware loader called Hijack Loader that implements new features to evade detection and establish persistence on compromised systems. "Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls)," Zscaler ThreatLabz researcher Muhammed Irfan V A said in
Analysis Summary
# Tool/Technique: Hijack Loader
## Overview
Hijack Loader is a malware loader, first discovered in 2023, designed to deliver second-stage payloads, often including information stealer malware. The latest iteration introduces advanced evasion techniques to complicate analysis and detection. It is also known by the names DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER.
## Technical Details
- Type: Malware Family (Loader)
- Platform: Windows (implied by techniques like Heaven's Gate, NtCreateThreadEx, and specific PE file mentions)
- Capabilities: Delivering secondary payloads, bypassing security software, code injection, anti-analysis/anti-VM checks, persistence establishment.
- First Seen: 2023
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection
- T1070.004 - File Deletion
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Implied by persistence mechanism)
- **TA0011 - Command and Control**
- T1071.001 - Web Protocols (If C2 is over web protocols)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
## Functionality
### Core Capabilities
- **Payload Delivery:** Acts as a loader for secondary malware, such as information stealers.
- **Code Injection:** Leverages the Heaven's Gate technique to execute 64-bit direct syscalls for process injection.
- **Persistence:** Implements persistence via a dedicated `modTask` module, setting up scheduled tasks.
### Advanced Features
- **Call Stack Spoofing:** Implements a new module utilizing a chain of EBP pointers to traverse the stack and replace actual stack frames with fabricated ones, concealing the origin of API and system calls.
- **Anti-VM/Anti-Sandbox Checks:** Includes an `ANTIVM` module specifically designed to detect malware analysis environments and sandboxes.
- **Process Blocklisting:** Revises blocklisted process lists to include components like "avastsvc.exe" (Avast Antivirus component), delaying execution by five seconds until the service is stopped.
- **Use of Legitimate Certificates:** Campaigns have been observed leveraging legitimate code-signing certificates for distribution.
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context, distribution often involves specific files dropped by dropper/phishing mechanism]
- Registry Keys: [Not specified in context, but persistence utilizes scheduled tasks]
- Network Indicators: [Not specified in context]
- Behavioral Indicators:
- Execution of direct syscalls via Heaven's Gate.
- Attempts to manipulate the call stack structure during API calls.
- Enumeration/checking of running system processes (e.g., checking for avastsvc.exe).
- Creation of scheduled tasks for persistence (`modTask`).
## Associated Threat Actors
- [Not explicitly named in the context, but associated with campaigns leveraging certificate signing and ClickFix distribution.]
## Detection Methods
- Signature-based detection: [Need updated signatures reflecting new modules and stack manipulation techniques.]
- Behavioral detection: Monitoring for unusual stack frame constructions (stack spoofing) and direct 64-bit syscall execution without standard framework wrappers. Detection of environmental checks (`ANTIVM`).
- YARA rules: [Not specified in context]
## Mitigation Strategies
- Implement robust application control policies.
- Enhance endpoint detection rules to alert on anomalous stack manipulation during system calls.
- Ensure comprehensive endpoint visibility, particularly around process injection mechanisms like heaven's gate.
- Keep security software (including AV/EDR) up-to-date to potentially detect sandbox evasion triggers.
## Related Tools/Techniques
- CoffeeLoader (Also utilizes call stack spoofing technique).
- SmokeLoader
***
# Tool/Technique: SHELBY Malware (SHELBYLOADER / SHELBYC2)
## Overview
SHELBY is a new malware family detailed by Elastic Security Labs, characterized by its use of GitHub for command-and-control (C2), data exfiltration, and remote control capabilities. It is used in activity tracked as REF8685.
## Technical Details
- Type: Malware Family (Loader/Backdoor)
- Platform: Windows (involves .NET binaries, DLLs, and PowerShell)
- Capabilities: C2 communication via GitHub commits, DLL side-loading, in-memory payload loading via AES decryption, sandbox detection.
- First Seen: Activity detailed in October 2024 context.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1102 - Web Service (Utilizing GitHub as C2)
- **TA0002 - Execution**
- T1574.001 - DLL Side-Loading (SHELBYLOADER utilizing "HTTPService.dll")
- **TA0005 - Defense Evasion**
- T1055 - Process Injection
- T1027.004 - Obfuscated Files or Information (Implied by reflective loading)
- **TA0009 - Collection**
- T1005 - Data from Local System (Exfiltration via GitHub)
## Functionality
### Core Capabilities
- **Infection Chain:** Delivered via targeted phishing emails containing a ZIP archive with a .NET binary that executes a DLL loader (`SHELBYLOADER`, "HTTPService.dll") via side-loading.
- **C2 Communication:** Communicates with an attacker-controlled GitHub repository.
- **Payload Decryption:** Extracts a 48-byte value from a file named "License.txt" on GitHub to generate an AES decryption key used to decipher the main backdoor payload ("HTTPApi.dll").
- **In-Memory Execution:** Loads the main backdoor payload into memory without writing artifacts to disk.
### Advanced Features
- **GitHub C2 Strategy:** C2 commands are embedded in one file ("Command.txt"), and output is sent via commits to the private repository.
- **PAT Exposure Risk:** The implementation embeds the Personal Access Token (PAT) within the binary, meaning anyone acquiring the binary can potentially interact with the C2 repository, fetching commands and outputs.
- **Sandbox Detection:** SHELBYLOADER employs sandbox detection techniques; results of these checks are packaged as log files and sent back to C2.
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: "HTTPService.dll" (SHELBYLOADER), "HTTPApi.dll" (Backdoor Payload), "License.txt", "Command.txt" (GitHub files).
- Registry Keys: [Not specified in context]
- Network Indicators: GitHub repositories utilized for C2 communication, identifiable by the use of attacker-controlled repository structure/commits.
- Behavioral Indicators: DLL side-loading involving "HTTPService.dll," network connections to GitHub API endpoints for file retrieval/commits, checking for virtualization artifacts.
## Associated Threat Actors
- REF8685
## Detection Methods
- Signature-based detection: Signatures for known DLL names used in side-loading ("HTTPService.dll").
- Behavioral detection: Monitoring for processes attempting to generate AES keys based on external data fetches, reflective loading of DLLs into memory, and unusual network traffic patterns involving GitHub repositories for C2 streams.
- YARA rules: [Not specified in context]
## Mitigation Strategies
- Restrict outbound connections to known malicious or unusual GitHub repositories.
- Implement strict DLL loading policies to mitigate side-loading.
- Monitor for reflective loading of binaries in memory.
- Conduct application security reviews on third-party binaries to ensure PATs or other sensitive tokens are not hardcoded.
## Related Tools/Techniques
- Other DLL side-loading malware.
***
# Tool/Technique: Emmenhtal Loader (PEAKLIGHT)
## Overview
Emmenhtal (also known as PEAKLIGHT) is a malware loader observed spreading via phishing emails using payment-themed lures. Its primary function is to deploy the SmokeLoader malware onto compromised systems.
## Technical Details
- Type: Malware Family (Loader)
- Platform: Windows (implied by .NET analysis)
- Capabilities: Delivering SmokeLoader, heavy obfuscation via .NET Reactor.
- First Seen: Recent activity detailed.
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (Phishing lure delivery)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0010 - Exfiltration/Collection**
- T1040 - Network Sniffing (If SmokeLoader performs sniffing)
## Functionality
### Core Capabilities
- **Delivery Mechanism:** Distributed through phishing emails using payment-themed content.
- **Payload Dropping:** Deploys the **SmokeLoader** malware.
### Advanced Features
- **Obfuscation:** Employs **.NET Reactor**, a commercial .NET protection tool, for robust obfuscation and packing of binaries, aligning with strong anti-analysis trends seen in stealers and loaders. This continues the historical trend of SmokeLoader using packers like Themida or Enigma Protector.
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context]
- Registry Keys: [Not specified in context]
- Network Indicators: [Not specified in context]
- Behavioral Indicators: Execution associated with payment-themed lures, heavy use of commercial .NET obfuscators.
## Associated Threat Actors
- [Not explicitly named in the context regarding Emmenhtal itself, but partners with SmokeLoader operations.]
## Detection Methods
- Signature-based detection: Signatures for any known Emmenhtal variants or specific packed payloads deployed by it.
- Behavioral detection: Detection focusing on the use of .NET Reactor or other known commercial packers/obfuscators in preliminary execution stages.
- YARA rules: [Not specified in context]
## Mitigation Strategies
- User training against payment-themed phishing lures.
- Use of advanced endpoint protection capable of detecting obfuscated .NET binaries.
## Related Tools/Techniques
- SmokeLoader