Research Saturday 3.23.24
Ep 322 | 3.23.24

HijackLoader unleashed: Evolving threats and sneaky tactics.


Dave Bittner: Hello everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Liviu Arsene: So this was actually part of the regular stuff that we do in terms of threat research, and we ended up stumbling across a new variant of HijackLoader. It's a relatively new, if you will, multi-stage tool that's being used by adversaries for deploying additional payloads, threats, or even additional tooling, right?x

Dave Bittner: That's Liviu Arsene, Director of Threat Research and Reporting at CrowdStrike. The research we're discussing today is titled "HijackLoader Expands Techniques to Improve Defense Evasion." [ Music ]

Liviu Arsene: And this is actually a threat that continues to become increasingly popular amongst adversaries because it's modular; it is stealth and deploys defense evasion techniques, and most importantly, it has, actually, quite a few -- or it has a variety of code injection and memory manipulation capabilities. But ultimately, to summarize, you know, it's just -- its purpose is to be used by adversaries as a staging platform to bring additional tooling or different malware families to infect compromised systems.

Dave Bittner: Well, I mean, let's walk through this together here. I mean, starting from the beginning, I suppose. How would someone find themselves targeted by someone using HijackLoader?

Liviu Arsene: Well, the delivery method can vary. It can be either a spear-phishing e-mail that the tainted document, right, that you just click on it thinking that it's some sort of invoice, or whatever. It can be -- I don't know, even drive-by downloads. So the infection vector may, potentially, vary, but it's the payload itself that that's actually quite interesting in this in this case. Because when we analyzed it and we compared it to what we previously knew about HijackLoader, or what the industry actually knew about HijackLoader, we found a couple of interesting things. For example, one of the most interesting techniques used by Hijack, this particular variant, was something that we've affectionately named "interactive process hollowing." And it's, essentially, a variation of process hollowing where, instead of creating a child process in a suspended state, the process is actually running and waiting for input, or a trigger, from a parent process that's actually writing to a pipe. And somehow, just hearing myself say that, I made it sound more complicated than it actually is.

Dave Bittner: Let's go up a level here, Liviu, because you have absolutely lost me. So can we describe exactly what we're talking about here?

Liviu Arsene: Exactly. So process hollowing, essentially, for those of you that are not familiar with it, is a technique used by malware to inject malicious code into a legitimate process, right? So essentially, what happens is the malware creates a new process similar to one that's already running on the targeted system, except that it creates the process in a suspended state. So that it can manipulate the process memory by swapping it or injecting malicious code, right? That malicious code usually comes from a file that's on disk, and, you know, after it does this memory manipulation, it then resumes the execution of the process. This is, essentially, the traditional way of how process hollowing works now. Now what happens now is that this evasion technique is potentially a little bit different. Think of it as a wolf-in-sheep-clothing kind of analogy, right? And the key distinction here between the standard way of doing process hollowing and this implementation is that, in this case, the child process is not explicitly created in a suspended state, right? Which, essentially, makes it appear less suspicious because standard process hollowing is a fairly well-documented and traditional, if you will, memory manipulation technique. And in our case, it's just a process that's just waiting for input from a different process or it's waiting for a trigger, so that it can start doing what it's supposed to do. Essentially, that's why we're calling it an interactive process-hollowing variation, because it's not suspended, but one that's actually running and awaiting instructions. And I've used an analogy to explain this to some of the folks in the team --

Dave Bittner: Yeah.

Liviu Arsene: -- because it was very interesting at the time when we found it. Think of it this way, right? So imagine a bank robbery, right, a bank robbery scenario. Instead of having a getaway driver waiting, you know, being suspended in front of the bank while burglars are going in trying to rob the bank, the getaway driver is actually dropping them off and driving away, circling the block, waiting for -- I don't know, a radio message, a call, or a trigger from the bank robbers to come pick them up, all right? So essentially, a car that's dropping off a couple of folks in front of a bank and is driving around the block acting all normal is less suspicious than one that's parked in front of a bank practically in a suspended state, right?

Dave Bittner: Right.

Liviu Arsene: So standard process hollowing would be, you know, the getaway car waiting in front of the bank, which can be suspicious while interactive process hollowing would be car going around into traffic as it normally would and the getaway driver waiting for a signal from the bank robbers to come pick them up, which is, you know, I suspect it's less suspicious from a car-behavior perspective.

Dave Bittner: So when law enforcement is circling the block, they're not going to see a mafia staff car parked out front of the bank, basically?

Liviu Arsene: They're not going to observe it right off the bat, right?

Dave Bittner: Right. So, I mean, so that's the difference here. Essentially, it's drawing less attention to itself and differentiating it for -- so when you have tools that are looking for this sort of thing, it makes it harder to detect?

Liviu Arsene: Well, yes, but the second thing that we found is that, while though it's using this kind of technique, it also has the ability -- or the malware developers have actually daisy chained several other techniques together with process hollowing to improve defensive-agent capabilities, right, to make HijackLoader more difficult to detect. For instance, we've found that they daisy chain process doppelganging and process hollowing together. Well, in in a way, they're kind of similar, in the sense that they're both described as process injection and defensive agent techniques, but differ, essentially, in their approach and complexity, right? So for example, I mentioned earlier that process hollowing may leave some traces on disk, right? Some code may be on disk, especially in terms of, you know, where it's stored and how it's being injected. So we can classify that as a file-based technique, if you will. While processed doppelganging, which is another memory manipulation technique that's daisy chained with this one, essentially involves manipulating Windows and file system APIs to practically achieve the same memory manipulation objective, but without involving any sort of malicious code being written to disk, right? And this makes file Doppelganging a more complex memory manipulation technique but without, you know, leaving any traces on disk. So we can call this, if you will, of a fileless technique, if you will. And I can go back to a different bank robbery analogy to explain this one if you want to.

Dave Bittner: Please.

Liviu Arsene: Okay. Let me give it shot. So, okay, so let's imagine for a second having bank robbers going in, right, guns blazing, tipping off the alarm, and trying to empty cash registers in under three minutes, right?

Dave Bittner: Okay. Right.

Liviu Arsene: So -- or for however long it takes attackers -- or responders, sorry, to come in.

Dave Bittner: A smash-and-grab?

Liviu Arsene: A smash-and-grab, exactly.

Dave Bittner: Yeah.

Liviu Arsene: Now, in this scenario, when you combine these two techniques, memory manipulation techniques, doppelganging, and the other one, what happens is we can look at these folks as thieves or burglars going in with a stealthier approach, right? So one of them goes in, for example, let's do a Hollywood scenario, right? One of them goes in, swipes, an ID from a security guard, adds a photo on top of the ID, changes into a security guard uniform in the bathroom, again, makes his and then makes his way to the vault using the legitimate but, you know, tainted security ID. And if we are to take this scenario, crazy scenario, even one step further into full Oceans 11, once the guy reaches the vault, he, you know, cracks open a lunch box that he was carrying as he went through the security. And instead of a sandwich being in the in the lunch box, he, essentially, has lock picks and safe-breaking tools, which would qualify as process hollowing, right? By swapping clean code, a.k.a., the sandwich, with malicious code, a.k.a., the lock picks. I may have gone a bit off the rails with the analogy, but the point is --

Dave Bittner: No, I love it. I love it.

Liviu Arsene: The point is, by introducing, you know, new techniques or by daisy chaining multiple techniques for process injection, memory manipulation, for the purpose of defense evasion is a way of making the threat, in this case HijackLoader, a lot stealthier. [ Music ]

Dave Bittner: We'll be right back. [ Music ] Well, before we dig into the third thing, I'm curious, you know, from your position it as a defender, what do these changes mean for you all in being able to detect these things?

Liviu Arsene: Well, it essentially means that if you are a defender, you need to first understand how these threats behave, and you need to have a platform that's able to offer defensive capabilities across multiple layers, right? So for example, you would need machine-learning capabilities to either statically or dynamically detect malicious behavior. You would need some sort of what we call, actually, indicators of attack, which are, essentially, real-time indicators of attack, of malicious behavior. And will also -- you would also need to augment that platform with intelligence-enriched telemetry, right? And by that, I mean, you also need to have an understanding of the adversary's motivation for building and using tools like these, like loaders or some other -- or any other tool, sort of tools, right? By doing this kind of research, we're essentially trying to -- and the goal is, essentially, to add as many hoops for the attackers to jump through, and make it essentially impossible for them to not just come in and rob the bank, but also make it impossible for them to just park in front of the bank, essentially.

Dave Bittner: Right. All right. Well, let's move on to the third section you want to talk about here. What's going on?

Liviu Arsene: Right. The third section was that -- or we also found that HijackLoaders were -- its developers, specifically, made some very interesting, or dare I say, uncommon or unnecessary steps that can make the threat a bit noisier. For example, some steps that they've added in the multi-stage, you know, behavior of the threat potentially render some previous steps obsolete or useless. Also, in previous versions they've had some code injection mechanisms that may not have worked as intended at the time, but they kind of fixed, or patched, these things in the new variant. However, for example they did not completely clean up system calls used to perform threat manipulation, for example, right? The point is, HijackLoader shows signs that it continues to evolve as its developers, I would say, experiment and enhance its capabilities, right?

Dave Bittner: Is this, I don't know, you know, laziness or inattention on the developers' part to leave these things behind that are no longer functional?

Liviu Arsene: I would call this standard developer practice.

Dave Bittner: Fair enough, right?

Liviu Arsene: Think of it this way.

Dave Bittner: I'm just imagining many of our listeners vigorously nodding their heads in agreement.

Liviu Arsene: Yeah, with how it works. I mean, we've all been there, right?

Dave Bittner: Right, right.

Liviu Arsene: You spend an entire day trying to get some code to work, and you're trying out different functionalities, different functions, different features. At one point, it works, and you just don't want to go back and try to see why it works. If it works, don't go back and change it, and that's pretty much what happens most of the time with developers. I'm not sure if this is the case here with HijackLoader, but it could be one potential explanation for why this happened. Yeah, and hijack loaders are not necessarily as uncommon as you would think, right? So, and I'm going to make a very interesting segue into our recent 2024 crash CrowdStrike threat report. I don't know if you had a chance to take a look at it, but if you do, go to the "E-Crime Landscape" section, and you will see that the CrowdStrike E-crime Index lists amongst, you know, a boatload of other things, it lists that the average loader cost on the criminal market actually increased by 169%, if I'm not mistaken, in 2023 compared to 2022. So this in context with the fact that loaders, you know, like HijackLoader, seem to go through various upgrades, feature experimentations, or development lifecycles. I would dare say that it points to the fact that loaders are very popular amongst, you know, e-crime community, especially since they can be used to deploy additional payloads and tooling, you know, like ransomware or information stealers, that go after sensitive data or identity credentials.

Dave Bittner: Yeah. So what are your recommendations here? I mean, how should folks best go about protecting themselves?

Liviu Arsene: So, yeah, this whole -- I guess it feeds into the whole how do organizations stay safe and protect themselves, right, not just from loaders, but from, you know, sophisticated threats and adversaries? I would say that it is very important for organizations to embrace a platform based-approach for protecting, you know, critical areas of enterprise risk, right, like endpoints, cloud workloads, identities and data, right? And I would also say that a platform, or that platform, also needs to employ, like I mentioned previously, a layered approach for malware or threat detection using machine learning, real-time indicators of attack. We call them IOAs for identifying malicious behavior and intelligence- enriched telemetry, all essentially built around a single, you know, if you will, lightweight-agent architecture, right? So for example, right, let's take HijackLoader in this case. CrowdStrike's Falcon's sensors machine-learning capabilities can automatically detect and prevent it during the initial stages of attack. You know, and I mean by that, as soon as the malware is downloaded onto the victim's machine, machine learning kicks in. It's automatically detected and prevented. Also, our behavior-based detection capabilities, you know, like IOAs, indicators of attack, can recognize malicious behavior, malicious behavior patterns, at various stages of the attack, including when, you know, HijackLoader starts employing tactics like process injection attempts and immediately shut it down. So I would say that any organization that wants to stay ahead, not just in terms of protecting themselves against loaders or e-crime activity, but also against sophisticated adversary or adversarial trade trap, should be -- or should turn to platforms like this, unified platforms that can offer visibility across all endpoints, across every infrastructure, and, you know, give you the ability to not just identify threats but also stop them and potentially prevent breaches from happening.

Dave Bittner: How would you rate the sophistication of the folks behind the HijackLoader?

Liviu Arsene: It depends on what we would -- what scoring system would we use? Would we use their developing capabilities? Would we rate their developing capabilities? Would we rate their ingenuity? I would give them, on a scale of one to 10, for ingenuity, I would give them around a seven, potentially, because it's an interesting daisy-chain techniques, memory-manipulation techniques that I've seen. I don't dare rate their developer skills. I suspect this is still, you know, just like any loader or any piece of malware out there, it's still an ongoing process. And some developers out there may have branches that are more -- better coded than this on, let's say. [ Music ]

Dave Bittner: Our thanks to Liviu Arsene from CrowdStrike for joining us. The research is titled "HijackLoader Expands Techniques to Improve Defense Evasion." We'll have a link in the show notes. [ Music ] The CyberWire Research Saturday Podcast is a production of N2K Networks. N2K Strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Stokes. Our mixer is Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]