Hijackloader

Malware updated a month ago (2024-10-17T12:03:20.471Z)

Download STIX

Preview STIX

HijackLoader is a new and rapidly growing malware in the cybercrime community, designed to exploit and damage computer systems. This malicious software infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once infiltrated, HijackLoader can steal personal information, disrupt operations, or hold data hostage for ransom. It operates by invoking malicious Dynamic Link Libraries (DLLs) through sideloading, ultimately executing a version of itself that injects the spy Remote Access Trojan (RAT), such as AsyncRAT. The malware was notably used in a recent campaign that followed the usual tactics, techniques, and procedures (TTPs) of a known cybercriminal group, with the added twist of DLL sideloading. The attack was initiated via phishing emails impersonating Colombia's judicial institutions, containing malicious PDF or DOCX files masquerading as a demand notice or court summons. HijackLoader was also found in a ZIP file targeting Ukrainian entities and Finland, where it loaded the RemCos RAT. The malware uses different capabilities like User Account Control (UAC) bypass, various process injection techniques, and inline Application Programming Interface (API) hooking evasion to remain undetected. HijackLoader, also advertised as a private crypting service ASMCrypt, is a modular multi-stage loader highly focused on evading detection. It uses a configuration file named "maidenhair.cfg" to execute the final RemCos payload, which then contacts the command-and-control (C2) server. Its ability to unpack different stages of the payload and inject them into legitimate processes further enhances its stealth. With its growing popularity among cybercriminals, HijackLoader poses a significant threat to cybersecurity.

Description last updated: 2024-10-17T11:45:55.854Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Asmcrypt is a possible alias for Hijackloader. ASMCrypt, a novel malware crypter and loader, has been developed by cybercriminals to evade detection and load the final payload undetected by antivirus or EDR systems. First discovered on underground forums, ASMCrypt builds upon the stealthy DoubleFinger malware loader, previously used to facilitat	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Loader

Payload

Malware Loader

Remcos

Cybercrime

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Systembc Malware is associated with Hijackloader. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage f	Unspecified	2
The Redline Stealer Malware is associated with Hijackloader. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects s	Unspecified	2

Source Document References

Information about the Hijackloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	3 months ago	An overview of the BlindEagle APT’s activity in Latin America
Securelist	3 months ago	Tusk campaign uses infostealers and clippers for financial gain
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
DARKReading	4 months ago	CrowdStrike 'Updates' Deliver Malware & More as Attacks Snowball
CrowdStrike	4 months ago	Likely eCrime Actor Capitalizing on Falcon Sensor Issues \| CrowdStrike
InfoSecurity-magazine	4 months ago	Cybercriminals Exploit CrowdStrike Outage Chaos
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	7 months ago	Report: Russian Hackers Targeting Ukrainian Soldiers on Apps
Securityaffairs	7 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini