Cybersecurity researchers have identified an updated Hijack Loader, introducing features such as call stack spoofing and anti-VM checks to evade detection and maintain persistence. Originally discovered in 2023, Hijack Loader can deliver second-stage payloads, such as information-stealing malware, and employs diverse tactics to bypass security measures. The loader is known under various aliases within the cybersecurity community and is linked to campaigns exploiting legitimate code-signing certificates for distribution. Its latest iteration reveals enhanced evasion techniques, notably call stack spoofing, also seen in other malware.
Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls)," Zscaler ThreatLabz researcher Muhammed Irfan V A said in an analysis.
This technique uses a chain of EBP pointers to traverse the stack and conceal the presence of a malicious call in the stack by replacing actual stack frames with fabricated ones," Zscaler said.
Collection
[
|
...
]