BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

HijackLoader

52
Global rank
32 infographic chevron month
Month rank
41 infographic chevron week
Week rank
0
IOCs

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Loader
Type
Unknown
Origin
1 July, 2023
First seen
14 October, 2024
Last seen

How to analyze HijackLoader with ANY.RUN

Type
Unknown
Origin
1 July, 2023
First seen
14 October, 2024
Last seen

IOCs

IP addresses
194.120.116.197
194.116.217.148
188.130.207.115
139.99.16.105
144.76.154.59
185.172.128.212
Hashes
bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26
0ae58be8d7058e40926fdb51b76043d109b96b91aa9fa2950dbb8a3626185e0f
a38da72082fc2dc1f60b3b245e1f2382d5f8c1d08ebc397dd0d81cc9f74ebbe6
8c12d821cae4d797fece228c0f433a007b8ad0643b778de8fa8a20b01504a522
132e2aaf6ba22738d79a027f967b865154f427eb5aa9c623dd4a2e9c0656e279
d838c3ff4c5bc734ce3beb0101d2902731fe1f414eae611ecb427bb66d682f71
1495fe416d65a16ec29e30de2a8f410e2930278eacf43943c45804cc9f502b2f
4a35f8134f64ad28c5fe261d7cf15256ecd758566c2ddbf4bd962925502ade41
4416d271999879f69acf3f414d06ef47852c5a9f174a543b8d30784b10b6ce73
9469de22339cb061f83ad060ea6f2110c5f0c3c4a08017db2a5cf457691a83ca
7686ffb96c606f5138af8818871f433f6ebe6c94597e496da1c9b07b3c2338d4
038d7b257b98421ad371189cf51d67f32ddad2de687c443a59ea74e4027bbf04
9fcc8d9212ee92c395f48f4fc5e587431485426f1bfcf8f4640db7270ebcf18d
3c5ef21065ce78141738202ee7f678f8b1fe666d49b7639ff82f95eda73cdd2b
80f05865e59ec4e12e504adbf5fae3d706b5d27e5ab2fc52fcd0feb19365c7b0
effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
89c61b5b70d806f603c431365f11f5faaa06f4ce34fc8006fb7ed026a2efdde4
9a9fa4604daaaac1f658822ca20c3843af3d42a65489c6655e076666718d3e68
1a99ac759fcd881729b76c2904476b4201e794df2d0547c954ea37be7c153131
2265e1b58d364f4134efeea53be6deadc9d8ccdde7bee3e14d17e3b2981de942
Domains
me3ar40.quickworld.shop
commisionipwn.shop
declaredczxi.shop
southedhiscuso.shop
replacedoxcjzp.shop
catchddkxozvp.shop
potentioallykeos.shop
drawzhotdog.shop
preachstrwnwjw.shop
interactiedovspm.shop
basedsymsotp.shop
weiggheticulop.shop
cagedwifedsozm.shop
arriveoxpzxo.shop
proffoduwnuq.shop
complainnykso.shop
ghostreedmnu.shop
fragnantbui.shop
stitchmiscpaew.shop
grassemenwji.shop
Last Seen at

Recent blog posts

post image
Private AI Assistant for Malware Analysis in...
watchers 934
comments 0
post image
5 Characteristics of Good Threat Intelligence...
watchers 477
comments 0
post image
New PhantomLoader Malware Distributes SSLoad:...
watchers 4064
comments 0

What is HijackLoader malware?

HijackLoader is a loader malware that possesses strong evasion capabilities, allowing it to bypass mainstream security solutions. It has been observed to deliver numerous persistent malware families, such as DanaBot and the RedLine stealer.

Most of the known attacks involving HijackLoader began with phishing emails. As of the end of 2023, it continues to be an active threat. The modular design of the malware is one of the key factors behind its popularity. It enables HijackLoader to ensure a more flexible approach to deployment on the infected system and further execution of the final payloads.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Technical details of the HijackLoader malicious software

HijackLoader is notorious for its ability to evade detection. One way it does this is by utilizing a modified Windows C Runtime (CRT) function to gain a foothold on the device.

During the initial stage, HijackLoader also ascertains whether the final payload is embedded in the binary or has to be downloaded from external sources. It does this through the use of an array of DWORD values.

It can also check if the device is connected to the Internet by attempting to connect to legitimate websites. The network connectivity check is a clever strategy that allows HijackLoader to remain undetected while the network is unavailable. In a similar fashion, the malware can delay the execution of different parts of its code to once again avoid early detection.

To make it more difficult for reverse engineers to analyze its code, the malware uses dynamic API loading via a custom hashing method. This makes it harder to locate the specific API calls used during execution.

HijackLoader’s AVDATA module is designed specifically for the purpose of identifying security software installed on the system and adjusting its operation depending on the results of its scanning.

Execution process of HijackLoader

Let’s take a closer look at the execution flow of a HijackLoader sample by uploading it to the ANY.RUN sandbox.

HijackLoader is a typical loader, and its execution flow is also straightforward and simple. This simplicity allows malware to remain less active inside infected systems, making it more challenging to detect. However, it can still attract attention in certain cases.

In our example, the loader leveraged the CMD utility to stay under the radar. It, in turn, initiates the MSBuild process, which downloads and runs the Phonk which downloads the miner. HijackLoader demonstrates evasion capabilities that aid in staying undetected by certain security solutions.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

HijackLoader process tree shown in ANY.RUN HijackLoader's process tree demonstrated in ANY.RUN

Distribution methods of the HijackLoader malware

The preferred method of infiltration among the attackers behind HijackLoader is phishing attacks, where cybercriminals craft emails that appear to be from legitimate sources, hoping to trick recipients into opening malicious attachments or clicking on infected links.

In one notable instance, hotels were targeted with emails from fake clients claiming to be staying at the hotel and requesting staff to download a file containing information on their allergy. Once opened, the file kickstarted the infection chain resulting in the deployment of HijackLoader on the victim’s device.

Conclusion

Keeping your infrastructure safe from a HijackLoader infection requires a proactive cybersecurity approach. An indispensable part of it is a reliable malware analysis sandbox like ANY.RUN.

With ANY.RUN, you can example incoming emails to determine any malicious intent behind them with ease. The service’s interactive cloud environment enables you to effectively investigate even the most intricate phishing campaigns and uncover multi-stage attacks in no time. The service delivers comprehensive text reports encompassing detailed information about the submitted files and links, including fresh IOCs.

Adopt a proactive cybersecurity approach by leveraging ANY.RUN.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More