Safety researchers from Zscler Threatlabz discovered a new malicious software called Hijackloader. It was first noticed in July 2023 and is capable of delivering the payloads Danabot, Systembc, and Redline Stealer.
Despite its lack of advanced functions, Hijackloader stands out from most bootloaders because it utilizes a modular architecture for injection and code execution.
Hijackloader employs various methods to bypass security systems, including evading monitoring through systemic calls and executing code with delays of up to 40 seconds. It maintains persistence on the host by creating an LNK shortcut in the Windows Automobile Papa, indicating the task of the Background Intelligent Transfer Service (BITS).
The exact vector of infection is currently unknown. Despite its anti-analysis techniques, Hijackloader is included in the main module of the tool, enabling flexible implementation and execution of code using built-in modules.
The detection of Hijackloader comes at a time when the notorious malicious software ChaES, known for its theft of financial information from e-commerce users in Latin America, has undergone significant changes and returned to operation. It has been completely rewritten in Python, reducing the likelihood of detection by traditional protection systems. The communication protocol with the team server has also been redesigned.
It is worth mentioning that in July 2023, the Japanese Emergency Situations team (JPCert) discovered a new type of cyber attack using “polyglot files.” These files combine characteristics of both PDF and Word documents, enabling them to easily bypass security systems.