- HijackLoader uses a modular architecture that facilitates threat actors to perform code injection and execution.
- While the exact initial infection vector is currently unknown, it utilizes syscalls to evade detection and monitor processes associated with security software based on an embedded blocklist.
- To achieve persistence on compromised hosts, the malware loader creates a shortcut file (LNK) in the Windows Startup folder that points to a Background Intelligent Transfer (BITS) job.
Malware loaders in the vogue
- According to recent research, three prominent malware loaders—QakBot (QBot), SocGholish, and Raspberry Robin—were responsible for 80% of attacks launched in the first seven months of 2023.
- In a separate incident, a well-known malware named Smoke Loader expanded its attack surface to deploy a new Whiffy Recon malware for hijacking IoT devices.
While HijackLoader is relatively new, its addition to the threat landscape will enable cybercriminals to launch more attacks.