Discover more from Cyber Oracle
HijackLoader: The Rising Threat in Cybercrime's Arsenal, Delivering a Payload Punch
Plus, Facebook Messenger Becomes Battlefield for MrTonyScam: Vietnamese Cyber Group's Sneaky Phishing Campaign Targets Accounts
Zscaler ThreatLabz Uncovers the Modular Malware Loader, HijackLoader, and Its Sneaky Techniques
In the ever-evolving world of cybercrime, a new player has emerged on the scene, and it's making waves. Meet "HijackLoader," a malware loader that's been steadily gaining favor within the cybercriminal community. What sets it apart? While it may lack some of the advanced features of other loaders, it compensates with a modular architecture that enables it to utilize various modules for code injection and execution—a rarity in the world of loaders.
First detected in July 2023 by Zscaler ThreatLabz researcher Nikolaos Pantazopoulos, HijackLoader employs a host of tactics to fly under the radar. It deftly uses syscalls to dodge the watchful eyes of security solutions, keeps tabs on processes linked to security software using an embedded blocklist, and employs delays of up to 40 seconds at different stages to postpone code execution.
The initial access point that HijackLoader uses to infiltrate its targets remains shrouded in mystery. However, beneath its anti-analysis cloak, the loader houses a core instrumentation module that facilitates flexible code injection and execution through embedded modules.
To ensure persistence on compromised hosts, HijackLoader ingeniously creates a shortcut file (LNK) in the Windows Startup folder, pointing it to a Background Intelligent Transfer Service (BITS) job.
According to Pantazopoulos, "HijackLoader is a modular loader with evasion techniques, which provides a variety of loading options for malicious payloads. Moreover, it does not have any advanced features, and the quality of the code is poor."
This revelation coincides with Flashpoint's disclosure of an updated version of an information-stealing malware known as RisePro, previously distributed via a pay-per-install (PPI) malware downloader called PrivateLoader. RisePro, written in C++, specializes in harvesting sensitive information and sending it to a command-and-control server in the form of logs.
The ever-evolving landscape of cybercrime also witnessed the discovery of a new information stealer written in Node.js. This malware, distributed through malicious Large Language Model (LLM)-themed Facebook ads and counterfeit websites posing as ByteDance's CapCut video editor, stealthily snatches cookies and credentials from various Chromium-based web browsers.
As the cyber threat landscape continually morphs, these developments underscore the prevalence of stealer infections as a primary vector for initial attacks, enabling threat actors to infiltrate organizations and carry out post-exploitation activities. In this dynamic environment, it's no surprise that cybercriminals are continually innovating to create new strains of stealer malware, such as Prysmax, which boasts a multitude of functionalities designed to maximize impact while evading detection by security tools.
HijackLoader and its counterparts illustrate the relentless evolution of cybercrime, where adaptability and innovation reign supreme, keeping cybersecurity experts on their toes.
Guardio Labs Uncovers a Dangerous Phishing Attack Leveraging Facebook Messenger with High Infection Rates
In a relentless and audacious cyber campaign, a Vietnamese-based group has unleashed a devious phishing attack using Facebook Messenger as its primary vector. This operation, ominously referred to as "MrTonyScam," deploys a clever blend of social engineering and technical sophistication to compromise user accounts with malicious intent.
At the heart of this scheme lies a tiny compressed file attachment that serves as the bait. When recipients are enticed into clicking on RAR and ZIP archive attachments, a meticulously orchestrated chain of events is set into motion. This sequence includes a dropper that fetches the next-stage payload from GitHub or GitLab repositories, followed by an archive file housing a CMD file.
Within this CMD file lurks an obfuscated Python-based stealer, a formidable tool designed to exfiltrate all cookies and login credentials from various web browsers. These ill-gotten digital treasures are then discreetly routed to an actor-controlled Telegram or Discord API endpoint.
The ingenuity of MrTonyScam lies in its strategic use of stolen cookies. Once the thief has what they need, they promptly delete the cookies. This seemingly benign action has a profound consequence - it forcibly logs the victim out of their own account. At this juncture, the scammers pounce, using the stolen cookies to change passwords and assume control.
Although initiating the infection necessitates some degree of user interaction—downloading, unzipping, and executing an attachment—Guardio Labs' disconcerting findings reveal a high success rate. In the past 30 days alone, an estimated one in 250 victims fell victim to this cunning campaign.
The MrTonyScam threat has cast its web wide, with reports of compromises flooding in from various corners of the globe, including the United States, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam.
As Guardio Labs researcher Oleg Zaytsev points out, "Facebook Accounts with reputation, seller rating, and high number of followers can be easily monetized on dark markets." In essence, these accounts become valuable assets, ripe for exploitation and manipulation.
This discovery comes on the heels of recent revelations by WithSecure and Zscaler ThreatLabz, shedding light on Ducktail and Duckport campaigns targeting Meta Business and Facebook accounts. The common thread of Vietnamese involvement suggests complex relationships and shared tools among cyber threat actors operating in this space, highlighting the growing significance of social media platforms in the cybercriminal ecosystem.
Wikimedia Foundation - Director of Engineering, Developer Experience - São Paulo, São Paulo, Brazil · Fully Remote
Mews - Senior Product Manager, POS - Barcelona, Barcelona, Spain · Hybrid
Roku - Senior Software Engineer, Platform Portability - Hsinchu, Taiwan · On-site
Coinbase - Product Manager II - Fully Remote
AlixPartners - IT Data Analyst Intern - Hybrid
Chan Zuckerberg Initiative - Data Science Intern, Science - Redwood City, CA (Onsite) · On-site
Temasek - Project Intern, Technology (Python Backend Developer) - Singapore, Singapore
Tesla - Internship, Fullstack Engineer, Infotainment UI (Winter/Spring 2024) - Palo Alto, CA
Thanks for reading Cyber Oracle! Subscribe for free to receive new posts and support my work.