Introduction
Cybersecurity threats continue to evolve, with threat actors employing increasingly sophisticated techniques to compromise unsuspecting users. One such recent campaign involves the deployment of a malware loader called Hijack Loader, which is designed to install the information-stealing Vidar Stealer. This article delves into the mechanics of this campaign, the methods used by attackers, and the broader implications for cybersecurity.
Hijack Loader: The Stealthy Entry Point
Hijack Loader, also known as DOILoader or IDAT Loader, is a stealthy malware loader that serves as the initial entry point for deploying more malicious payloads. Threat actors lure users into downloading this malware by offering free or pirated versions of commercial software. In one notable campaign, adversaries disguised the malware within a trojanized version of the Cisco Webex Meetings App.
The Infection Process
The infection process begins with users downloading a password-protected archive file containing what appears to be the Cisco Webex Meetings App. Inside the archive is a file named "Setup.exe," which, when executed, loads the Hijack Loader instead of the legitimate application. This loader uses DLL side-loading techniques to avoid detection and subsequently deploys the Vidar Stealer.
Vidar Stealer: The Information Thief
Vidar Stealer is a potent information-stealing malware that targets sensitive credentials stored in web browsers. Once Hijack Loader successfully deploys Vidar Stealer, the malware begins its data exfiltration process, siphoning off valuable information from the compromised system.
Privilege Escalation and Defense Evasion
To ensure successful execution and persistence, the malware employs a known technique to bypass User Account Control (UAC). It exploits the CMSTPLUA COM interface to escalate privileges. After achieving elevated privileges, the malware adds itself to Windows Defender's exclusion list to evade detection and removal.
Additional Payloads: Cryptocurrency Miners and More
In addition to stealing information, the campaign leverages additional payloads to maximize the damage. One such payload is a cryptocurrency miner that exploits the compromised system's resources to mine digital currencies for the attackers.
ClearFake and ClickFix Campaigns
The disclosure of the Hijack Loader campaign coincides with a surge in ClearFake campaigns. These campaigns trick users into executing PowerShell scripts to supposedly fix issues with web pages. The scripts, however, serve as a launchpad for Hijack Loader, which then deploys the Lumma Stealer malware. This stealer downloads additional payloads, including Amadey Loader, XMRig miner, and clipper malware.
Similarly, the ClickFix campaign involves deceptive browser update lures to propagate Vidar Stealer. The attackers exploit PowerShell code to copy and run malicious scripts, further compromising the targeted systems.
TA571: A Social Engineering Tactic
Another threat actor, TA571, uses social engineering in its malspam campaigns. Emails containing HTML attachments lure users with fake error messages about missing browser extensions. Victims are tricked into executing Base64-encoded PowerShell commands that install malware such as Matanbuchus and DarkGate.
Detection Challenges
The use of legitimate tools and complex storage methods for malicious code makes detection challenging. Antivirus software and Endpoint Detection and Response (EDR) systems struggle to inspect clipboard content, necessitating proactive measures to block threats before they reach victims.
SEO Poisoning and SolarMarker Campaign
In a related development, eSentire disclosed a malware campaign involving lookalike websites that impersonate legitimate domains, such as Indeed.com. These sites distribute SolarMarker, an information-stealing malware. The attackers use search engine optimization (SEO) poisoning to boost the visibility of malicious links, emphasizing the need for caution when clicking on search engine results.
Conclusion
The Hijack Loader campaign and its associated threats highlight the evolving tactics of cybercriminals. By leveraging social engineering, sophisticated malware loaders, and evasion techniques, threat actors continue to pose significant risks to users and organizations. Vigilance, robust cybersecurity practices, and proactive threat detection are essential to mitigate these risks and protect sensitive information from falling into the wrong hands.
0 Comments