Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

A new version of the malware loader, Hijack Loader, has been spotted by researchers at Zscaler which comes with an updated set of anti-analysis techniques to fly under the radar. In total, the latest variant comes with 7 new modules. Notably, one of these modules is designed to bypass User Account Control (UAC), a security feature on Windows designed to prevent unauthorized changes to the operating system. By bypassing UAC, this enables the malware to elevate privileges and evade defenses. The other new modules include an exclusion for Windows Defender Antivirus, evade inline API hooking that is often used by security software for detection, and employ process hollowing. In addition, researchers note the incorporation of additional features in the new variant like dynamic API resolution, blocklist process checking, and user mode hook evasion using Heaven's Gate.

Security Officer Comments:
Hijack Loader was first documented in 2023 and employs a modular architecture, where a variety of modules are used for code injection and execution. The latest addition of modules highlights that the authors behind the loader malware are actively updating it to increase its stealthiness and remain undetected for longer periods of time. What’s notable about Hijack Loader is that its delivery method uses a PNG image, which is decrypted and parsed to load the second stage in attacks, that’s either embedded into it or downloaded separately based on the malware's configuration. Once loaded, the second stage will inject the main instrumentation module to employ various anti-analysis techniques and decrypt the final payload.

Suggested Corrections:
Since 2023, Hijack Loader has gained a lot of traction within the cybercriminal community and has been observed being used to deploy various different malware families like Rhadamanthys, Meta Stealer, Remcos RAT, Racoon Stealer, Lumma Stealer, and Amadey, most of which are designed to monitor victims’ systems and exfiltrate data of interest. Given that loaders like Hijack Loader are primarily distributed via phishing, users should be careful not to open links or attachments in emails or SMS text messages that come from unknown senders.


Zscaler has provided a Python script to extract the malware configuration and modules from HijackLoader samples: