Hijackloader

Malware updated 23 days ago (2024-11-29T14:41:57.395Z)
Download STIX
Preview STIX
HijackLoader is a new and rapidly growing malware in the cybercrime community, designed to exploit and damage computer systems. This malicious software infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once infiltrated, HijackLoader can steal personal information, disrupt operations, or hold data hostage for ransom. It operates by invoking malicious Dynamic Link Libraries (DLLs) through sideloading, ultimately executing a version of itself that injects the spy Remote Access Trojan (RAT), such as AsyncRAT. The malware was notably used in a recent campaign that followed the usual tactics, techniques, and procedures (TTPs) of a known cybercriminal group, with the added twist of DLL sideloading. The attack was initiated via phishing emails impersonating Colombia's judicial institutions, containing malicious PDF or DOCX files masquerading as a demand notice or court summons. HijackLoader was also found in a ZIP file targeting Ukrainian entities and Finland, where it loaded the RemCos RAT. The malware uses different capabilities like User Account Control (UAC) bypass, various process injection techniques, and inline Application Programming Interface (API) hooking evasion to remain undetected. HijackLoader, also advertised as a private crypting service ASMCrypt, is a modular multi-stage loader highly focused on evading detection. It uses a configuration file named "maidenhair.cfg" to execute the final RemCos payload, which then contacts the command-and-control (C2) server. Its ability to unpack different stages of the payload and inject them into legitimate processes further enhances its stealth. With its growing popularity among cybercriminals, HijackLoader poses a significant threat to cybersecurity.
Description last updated: 2024-10-17T11:45:55.854Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Asmcrypt is a possible alias for Hijackloader. ASMCrypt, a novel malware crypter and loader, has been developed by cybercriminals to evade detection and load the final payload undetected by antivirus or EDR systems. First discovered on underground forums, ASMCrypt builds upon the stealthy DoubleFinger malware loader, previously used to facilitat
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Loader
Payload
Malware Loader
Remcos
Cybercrime
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Systembc Malware is associated with Hijackloader. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage fUnspecified
2
The Redline Stealer Malware is associated with Hijackloader. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects sUnspecified
2
Source Document References
Information about the Hijackloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
21 days ago
Securelist
4 months ago
Securelist
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
DARKReading
5 months ago
CrowdStrike
5 months ago
InfoSecurity-magazine
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
BankInfoSecurity
8 months ago
Securityaffairs
8 months ago