May 8, 2024 at 07:06AM
A newer version of malware loader Hijack Loader, also known as IDAT Loader, has been updated with anti-analysis techniques, making it more stealthy and effective at evading detection. It now incorporates modules to bypass security measures and deliver various malware families. This includes the decryption and parsing of a PNG image to load the next-stage payload. Additionally, the emergence of an information stealer called TesseractStealer is noted.
Based on the meeting notes, here are the key takeaways:
– A newer version of malware loader called Hijack Loader has been observed, incorporating updated anti-analysis techniques to increase its stealthiness and avoid detection.
– Hijack Loader is being used as a conduit to deliver various malware families including Amadey, Lumma Stealer, Meta Stealer, Racoon Stealer V2, Remcos RAT, and Rhadamanthys.
– The latest version of Hijack Loader is notable for decrypting and parsing a PNG image to load the next-stage payload, a technique first detailed by Morphisec in a campaign targeting Ukrainian entities based in Finland.
– Hijack Loader artifacts detected in the wild in March and April 2024 incorporate seven new modules to help create new processes, perform UAC bypass, and add a Windows Defender Antivirus exclusion via a PowerShell command.
– The malware loader also utilizes the Heaven’s Gate technique to circumvent user mode hooks, as disclosed by CrowdStrike in February 2024.
– Additionally, an information stealer called TesseractStealer distributed by ViperSoftX has been observed, focusing on extracting specific data related to credentials and cryptocurrency wallet information and dropping another payload from the Quasar RAT malware family.
Let me know if you need any further details or if you would like me to summarize any other points.