Analyzing New HijackLoader Evasion Tactics

    Tuesday, April 1, 2025 In: Threat Research Print

    Date: 04/01/2025

    Severity: Medium

    Summary

    HijackLoader, a malware loader first discovered in 2023, has been updated with new modules that enhance its evasion tactics. These include call stack spoofing to hide function call origins, anti-VM checks to detect analysis environments, and a module for establishing persistence through scheduled tasks. These updates aim to improve the loader's ability to bypass security measures and maintain its presence on infected systems.

    Indicators of Compromise (IOC) List

    Hash

    67173036149718a3a06847d20d0f30616e5b9d6796e050dc520259a15588ddc8

    28eb6ce005d34e22f6805a132e7080b96f236d627078bcc1bedee1a3a209bd1f

    08f1ca6071cb206f53c2e81568b73d4bee7ac6a019d93d3ceaac7637b6dc891a

    9218c8607323d7667f69ef26faea57cb861f9b3888a457ed9093c1b65eefa42b

    b8f1341ade1fe50c4936b8f7bec7a8e47ad753465f716a1ec2f8220a18bf34a5

    b2b5c6a6a3e050dfe2aa13db6f9b02ce578dd224926f270ea0a433195ac1ba26

    3aa32545a2f53138d5f816d002b00d45c581cd56b1cfa66a2f72a03d604f1346

    6cfbffa4e0327969aeb955921333f5a635a9b2103e05989b80bb690f376e4404

    307c1756c21ee8f4f866ff8327823b55d597fecca379f98bcd45581e2e33adee

    7b399ccced1048d15198aeb67d6bcc49ebd88c7ac484811a7000b9e79a5aac90

    2be2c90c725c2a03d2bd68e39d52c0e16e7678d1d42fa7fdf75797806e0eb036

    3ca78fbfbb46722af5f8acac511e77ec0382439f84c78c5710496fe1c377893d

    35dca05612aede9c1db55a868b1cd314b5d05bac00bed577fd0d437103c2a4a4

    d75d545269b0393bed9fd28340ff42cc51d5a1bd7d5d43694dac28f6ca61df03

    b480fec95b84980e88e0e5958873b7194029ffbaa78369cfe5c0e4d64849fb32

    273bc7700e9153f7063b689f57ece3090c79e6b1038a9bc7865f61452c7377b0

    2e5cf739a84c726dfe3cfa3ddf47893357713240e77adf929ef30d87b1ccb52e

    3142e4b40d27f63bcf7c787e96811e9a801224ce368624d75e88fa6408af896e

    3500426eb9bb67fa91d4848cabeab2fe8e8a614768ed1e389e1f42a2428f64a8

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    sha256hash IN ("67173036149718a3a06847d20d0f30616e5b9d6796e050dc520259a15588ddc8","28eb6ce005d34e22f6805a132e7080b96f236d627078bcc1bedee1a3a209bd1f","08f1ca6071cb206f53c2e81568b73d4bee7ac6a019d93d3ceaac7637b6dc891a","9218c8607323d7667f69ef26faea57cb861f9b3888a457ed9093c1b65eefa42b","b8f1341ade1fe50c4936b8f7bec7a8e47ad753465f716a1ec2f8220a18bf34a5","b2b5c6a6a3e050dfe2aa13db6f9b02ce578dd224926f270ea0a433195ac1ba26","3aa32545a2f53138d5f816d002b00d45c581cd56b1cfa66a2f72a03d604f1346","6cfbffa4e0327969aeb955921333f5a635a9b2103e05989b80bb690f376e4404","307c1756c21ee8f4f866ff8327823b55d597fecca379f98bcd45581e2e33adee","7b399ccced1048d15198aeb67d6bcc49ebd88c7ac484811a7000b9e79a5aac90","2be2c90c725c2a03d2bd68e39d52c0e16e7678d1d42fa7fdf75797806e0eb036","3ca78fbfbb46722af5f8acac511e77ec0382439f84c78c5710496fe1c377893d","35dca05612aede9c1db55a868b1cd314b5d05bac00bed577fd0d437103c2a4a4","d75d545269b0393bed9fd28340ff42cc51d5a1bd7d5d43694dac28f6ca61df03","b480fec95b84980e88e0e5958873b7194029ffbaa78369cfe5c0e4d64849fb32","273bc7700e9153f7063b689f57ece3090c79e6b1038a9bc7865f61452c7377b0","2e5cf739a84c726dfe3cfa3ddf47893357713240e77adf929ef30d87b1ccb52e","3142e4b40d27f63bcf7c787e96811e9a801224ce368624d75e88fa6408af896e","3500426eb9bb67fa91d4848cabeab2fe8e8a614768ed1e389e1f42a2428f64a8")

    Reference:

    https://www.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics#indicators-of-compromise--iocs-


    Tags

    MalwareHijackLoader

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.