CyberWire Daily - HijackLoader unleashed: Evolving threats and sneaky tactics. [Research Saturday]
Episode Date: March 23, 2024Liviu Arsene from CrowdStrike joins to discuss their research "HijackLoader Expands Techniques to Improve Defense Evasion." The research has found that HijackLoader continues to become increasingly po...pular among adversaries for deploying additional payloads and tooling. In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. Researchers state "this new approach has the potential to make defense evasion stealthier." Please take a moment to fill out an audience survey! Let us know how we are doing! The research can be found here: HijackLoader Expands Techniques to Improve Defense Evasion And be sure to join our live webinar: CISOs are the new Architects (of the Workforce) Join N2K’s Simone Petrella and Intuit’s Kim Jones on Wednesday, March 27th for an online discussion about the pivotal role security leaders play in shaping the security workforce landscape, and how we can start showing up for the future of our industry. Learn more and register on the event page. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So this was actually part of the regular stuff that we do in terms of threat research.
And we ended up stumbling across a new variant of Hijack Loader.
It's a relatively new, if you will, multi-stage tool that's being used by adversaries for deploying additional payloads, threats, or even additional tooling, right?
That's Liviu Arsene, Director of Threat Research and Reporting at CrowdStrike.
The research we're discussing today is titled,
Hijack Loader Expands Techniques to Improve Defense Evasion.
And this is actually a thread that continues to become increasingly popular amongst adversaries because it's modular, it is stealth,
and deploys defensive agent techniques.
And most importantly, it has actually quite a few,
or it has a variety of code injection and memory manipulation capabilities.
But ultimately, to summarize,
its purpose is to be used by adversaries as a staging platform
to bring additional tooling or different malware families
to infect compromised systems.
Well, let's walk through this together here.
Starting from the beginning, I suppose,
how would someone find themselves targeted by someone using Hijack Loader?
Well, the delivery method can vary.
It can be either a spear phishing email with a tainted document, right?
And you just click on it thinking that it's some sort of invoice or whatever.
It can be, I don't know, even drive-by downloads.
So the infection vector may
potentially vary, but it's the payload itself that's actually quite interesting in this case.
Because when we analyzed it and we compared it to what we previously knew about hijack loader or
what the industry actually knew about hijack loader, we found a couple of interesting things.
For example, one of the most interesting techniques used by Hydra, this particular variant, was something that we've affectionately named interactive process hollowing.
And it's essentially a variation of process hollowing, where instead of creating a child process in a suspended state, the process is actually running and waiting for input or trigger from a parent process that's actually writing to a pipe.
And somehow just hearing myself say that, I made it sound more complicated than it actually is.
Let's go up a level here, Liviu, because you have absolutely lost me.
So can we describe exactly what we're talking about here?
Exactly.
So process hollowing, essentially, for those of you that are not familiar with it,
is a technique used by malware to inject malicious code into a legitimate process, right?
So essentially what happens is the malware creates a new process
similar to one that's already running on the targeted system,
except that it creates the process in a suspended state
so that it can manipulate the process memory
by swapping it or injecting malicious code, right?
That malicious code usually comes from a file that's on disk.
And after it does this memory manipulation,
it then resumes the execution of the process.
This is essentially the traditional way
of how process hollowing works.
Now, what happens now is that this evasion technique
is potentially a little bit different.
Think of it as a wolf and sheep clothing kind of analogy, right?
And the key distinction here between the standard way
of doing process hollowing and this implementation
is that in this case, the child process
is not explicitly created in a suspended state,
which essentially makes it appear less suspicious.
Because standard process hollowing is a fairly well-documented and traditional,
if you will, memory manipulation technique.
And in our case, it's just a process that's just waiting for input from a different process,
or it's waiting for a trigger so that it can start doing what it's supposed to do.
Essentially, that's why we're calling it an interactive process hauling variation
because it's not suspended, but one that's actually running and waiting instructions.
And I've used an analogy to explain this to some of the folks in the team.
Yeah.
Because it was very interesting at the time when we found it.
Think of it this way, right?
So imagine a bank robbery, right?
A bank robbery scenario. Instead of having a getaway driver waiting, you know, being suspended in front
of the bank while burglars are going in trying to rob the bank, the getaway driver is actually
dropping them off and driving away, circling the block, waiting for, I don't know, a radio message,
a call, or a trigger from the bank robbers to come pick them up. So essentially, a car that's dropping off a couple of folks in front of a bank and is driving around the block acting all normal is less suspicious than one that's parked in front of a bank practically in a suspended state.
Right.
car waiting in front of a bank, which can be suspicious, while interactive process hollowing would be car going around into traffic as it normally would and the getaway driver waiting
for a signal from the bank robbers to come pick them up, which is, you know, I suspect it's less
suspicious from a car behavior perspective. So when law enforcement is circling the block,
they're not going to see a mafia staff car parked out front of the bank, basically.
They're not going to observe it right off the bat, right?
Right.
So that's the difference here.
Essentially, it's drawing less attention to itself
and differentiating it.
So when you have tools that are looking for this sort of thing,
it makes it harder to detect?
Well, yes.
But the second thing that we found is that although it's using this
kind of technique, it also has the ability or the malware developers have actually daisy-chained
several other techniques together with process hollowing to improve defensive agent capabilities,
right? To make hijack loader more difficult to detect. For instance, we found that daisy chain process doppelganging
and process hollowing together.
Well, in a way, they're kind of similar
in the sense that they're both
described as process injection
and defensive agent techniques,
but differ essentially in their approach
and complexity, right?
So for example, I mentioned earlier
that process hollowing may leave
some traces on disk, right?
Some code may be on disk,
especially in terms of where it's stored and how it's being injected. So we can classify that as a file-based technique, if you will, while process doppelganging, which is another
memory manipulation technique that's daisy-chained with this one, essentially involves manipulating
Windows and file system APIs
to practically achieve the same memory manipulation objective,
but without involving any sort of malicious code being written to disk.
And this makes file doppelganging a more complex memory manipulation technique,
but without leaving any traces on disk.
So we can call this, if you will, a fileless technique, if you will.
And I can go back to a different bank robbery analogy
to explain this one if you want to.
Please.
Okay, let me give it a shot.
Okay, so let's imagine for a second having bank robbers going in,
guns blazing, tipping off the alarm,
and trying to empty cash registers in under three minutes, right? Right. So, or however long it takes attackers or responders, sorry, to come in.
Now, a smash and grab. A smash and grab, exactly. Yeah. Now, in this scenario, when you combine
these two techniques, memory manipulation techniques, doppelganging and the other one,
what happens is we can look at these folks as thieves or burglars going in with a stealthier approach.
So one of them goes in, for example, let's do a Hollywood scenario.
One of them goes in, swipes an ID from a security guard,
adds a photo on top of the ID, changes into a security guard uniform
in the bathroom, and then makes his way to the vault
using the legitimate but tainted security ID. And if we are to take this scenario, crazy
scenario, even one step further into full Ocean's Eleven,
once the guy reaches the vault, he
cracks open a lunchbox that he was carrying as he went through the security.
And instead of a sandwich being in the lunchbox, he
essentially has lockpicks and safe-breaking tools, which would qualify as process hollowing by swapping clean code, a.k.a. the sandwich, with malicious code, a.k.a. the lockpicks.
I may have gone a bit off the rails with the analogy.
I love it.
The point is, by introducing new techniques or by daisy-chaining multiple techniques for process injection, memory manipulation, for the purpose of defensive vision, is a way of making the threat, in this case hijack loader, a lot stealthier.
We'll be right back.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
your security. Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security. Well, before we dig into the third thing, I'm curious, you know, from your position as a defender,
what do these changes mean for you all in being able to detect these things?
mean for you all in being able to detect these things?
Well, it essentially means that if you are a defender, you need to first understand how these threats behave
and you need to have a platform that's able
to offer defensive capabilities across multiple layers.
So, for example, you would need
machine learning capabilities to either statically or dynamically detect malicious behavior.
You would need some sort of what we call actually indicators of attack, which are essentially real-time indicators of attack, of malicious behavior.
And you would also need to augment that platform with intelligence-enriched telemetry, right?
And by that, I mean,
you also need to have an understanding
of the adversary's motivation
for building and using tools like these,
like loaders or any other sort of tools, right?
By doing this kind of research,
we're essentially trying to,
and the goal is essentially to add as
many hoops for attackers to jump through and make it essentially impossible for them to not just
come in and rob the bank, but also make it impossible for them to just park in front of
the bank, essentially. Right. All right. Well, let's move on to the third section you want to talk about here. What's going on? Right.
The third section was that, or we also found that hijack loaders, or its developers specifically,
made some very interesting or, dare I say, uncommon or unnecessary steps that can make the threat a bit noisier.
For example, some steps that they've added
in the multi-stage behavior of the thread
potentially render some previous steps obsolete or useless.
Also, in previous versions,
they've had some code injection mechanisms
that may not have worked as intended at the time,
but they kind of fixed or patched these things in the new variant.
However, for example, they did not completely clean up
system calls used to perform threat manipulation, for example.
The point is, Hijack Loader
shows signs that it continues to evolve as its developers
I would say experiment and enhance its capabilities.
Is this, I don't know, laziness or inattention on the developer's part
to leave these things behind that are no longer functional?
I would call this standard developer practice.
Fair enough.
So think of it this way.
I'm just imagining many of our listeners
vigorously nodding their heads in agreement
that this is how it works.
I mean, we've all been there, right?
You spend an entire day trying to get some code to work
and you're trying out different functionalities,
different functions, different features.
At one point, it works,
and you just don't want to go back
and try to see why it works.
If it works, don't go back and change it. And that's pretty much what happens most of the time
with developers. I'm not sure if this is the case here with hijack loader, but it could be one
potential explanation for why this happened. And hijack loaders are not necessarily as uncommon as you would think, right?
So I'm going to make a very interesting segue into our recent 2024 CrowdStrike threat report.
I don't know if you had a chance to take a look at it, but if you do, go to the eCrime landscape section,
and you will see that the CrowdStrike eCrime index lists, amongst a boatload
of other things, it lists that the average loader cost on the criminal market actually increased by
169%, if I'm not mistaken, in 2023 compared to 2022. So this, in context with the fact that
loaders like hijacked loaders seem to go through various upgrades, feature experimentations, or development life cycles, I would dare say that it points to the fact that loaders are very popular amongst the e-crime community, especially since they can be used to deploy additional payloads and tooling like ransomware or information stealers that go after sensitive
data or identity credentials. Yeah. So what are your recommendations here? I mean, how should
folks best go about protecting themselves? So yeah, this whole, I guess it feeds into the whole
how do organizations stay safe and protect themselves, right? Not just from loaders, but from
sophisticated threats and adversaries.
I would say that it is very important
for organizations to embrace
a platform-based approach
for protecting critical areas
of enterprise risk, right?
Like endpoints, cloud workloads,
identities, and data, right?
And I would also say that a platform
or that platform also needs to employ,
like I mentioned previously,
a layered approach for malware
or threat detection
using machine learning,
real-time indicators of attack.
We call them IOAs
for identifying malicious behavior.
Intelligence-enriched telemetry,
all essentially built around a single,
you know, if you will,
lightweight agent architecture.
So for example, let's take Hijack Loader in this case.
Crystrike Falcon sensor's machine learning capabilities can automatically detect and
prevent it during the initial stages of attack.
And I mean by that, as soon as the malware is downloaded onto the victim's machine,
bam, machine learning kicks in, it's automatically detected and prevented.
Also, our behavior-based detection capabilities, like IOAs, indicators of attack,
can recognize malicious behavior, malicious behavior patterns at various stages of the attack,
including when hijack loader starts employing tactics like process injection attempts,
and immediately shut it down.
So I would say that any organization
that wants to stay ahead,
not just in terms of protecting themselves
against loaders or e-crime activity,
but also against sophisticated adversarial trade draft
should turn to platforms like this.
Unified platforms that can offer visibility
across all endpoints,
across every infrastructure,
and give you the ability
to not just identify threats,
but also stop them
and potentially prevent breaches from happening.
How would you rate the sophistication
of the folks behind Hijack Loader?
It depends on what scoring system would we use.
Would we use their developing capabilities? Would we use their developing capabilities?
Would we rate their developing capabilities?
Would we rate their ingenuity?
I would give them, on a scale of 1 to 10,
for ingenuity, I would give them around a 7, potentially.
Because it's an interesting daisy chain techniques,
memory manipulation techniques that I've seen.
I don't dare rate their developer skills.
I suspect this is still, you know, just like any loader or any piece of malware out there, it's still an ongoing process.
And some developers out there may have branches that are better coded than this one, let's say.
Our thanks to Liviu Arsene from CrowdStrike for joining us.
The research is titled Hijack Loader Expands Techniques to Improve Defense Evasion.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday podcast is a production of N2K Networks.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Elliot Peltzman.
Our executive producers are Jennifer Iben and
Brandon Karpf. Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next time.