Authors/Presenters: Sven Cattell
Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.
The post BSidesLV24 – Keynotes – Day One: “Secure AI” Is 20 Years Old appeared first on Security Boulevard.
Cybersecurity imposter syndrome is practically universal among leaders. Learn how deliberate failure builds genuine confidence no certification provides.
The post You Feel Like an Imposter and That’s Okay: Here’s How to Build Up Confidence appeared first on Security Boulevard.
The conversation around quantum computing is shifting from theory to reality, especially when it’s centered on security and mounting threats against current encryption algorithms. The UK National Cyber Security Centre’s (NCSC) recent guidance on “PQC Migration Timelines” underscores the urgency for organizations to transition to post-quantum cryptography (PQC). Urgency is being driven by the rising […]
The post Navigating the Quantum Shift: A Practical Approach to Crypto-Agility with PQC-Enabled PKI appeared first on Security Boulevard.
Developers have always had a conflicted relationship with security. While they don't want to produce software with security flaws, they don't want to be security experts either. With that in mind, the Open Source Security Foundation (OpenSSF) has released the Open Source Project Security Baseline.
The post OpenSSF guidelines encourage OSS developers to build securely appeared first on Security Boulevard.
Escape has created the first ever push-to-post automation to revolutionize vulnerability management by giving you the recognition you deserve.
The post Product Update: Automate alerts to your social media appeared first on Security Boulevard.
Veriti Research has identified a significant rise in tax-related malware samples across multiple platforms. The research team discovered malware samples targeting Android, Linux, and Windows, all connected to the same adversary operating from a single IP address. We believe the attacker is running multiple parallel campaigns and using “Malware-as-a-Service” tools to target various platforms simultaneously, […]
The post Tax Season Threat Surge appeared first on VERITI.
The post Tax Season Threat Surge appeared first on Security Boulevard.
March 2025 was a high-alert month for cybersecurity teams. Critical CVEs surfaced across widely used technologies, some quiet, others loud, but all carrying real risk. These weren’t just routine disclosures....
The post Top CVEs & Vulnerabilities of March 2025 appeared first on Strobes Security.
The post Top CVEs & Vulnerabilities of March 2025 appeared first on Security Boulevard.
On March 21, 2025, a critical authorization bypass vulnerability in Next.js, identified as CVE-2025-29927, was disclosed with a CVSS score of 9.1. This framework’s middleware handling flaw enables attackers to bypass authentication and authorization, exposing sensitive routes to unauthorized access. Exploiting this vulnerability does not require authentication, providing attackers with direct access to protected routes. […]
The post Next.js Vulnerability Exposes Middleware Security Gaps appeared first on Kratikal Blogs - Information Hub For Cyber Security Experts.
The post Next.js Vulnerability Exposes Middleware Security Gaps appeared first on Security Boulevard.
“The Renaissance Man” was attributed to Leonardo da Vinci because he symbolized the focus of the Renaissance era: boundless human potential. The 2025 State of Passwordless Identity Assurance Report revolves around the Identity Renaissance: the exploration of business success when it’s unburdened by security vulnerabilities and inefficiencies. The report stresses the vitalization of shifting away from passwords and adopting comprehensive security infrastructure.
Recap still too long? Join me for a short report briefing, form-free registration here!
The post Top Passwordless Identity Assurance Trends for 2025 appeared first on Security Boulevard.
Is Your Secrets Vault Really Equipped for the Task? Non-Human Identities (NHIs) and their secrets management have become the cornerstone of an effective cybersecurity strategy. The question is, is your secrets vault truly impenetrable? Or are there lurking threats you are yet to identify and address? NHIs and Secrets Security Management: A Deep Dive To […]
The post Is Your Secrets Vault Truly Impenetrable? appeared first on Entro.
The post Is Your Secrets Vault Truly Impenetrable? appeared first on Security Boulevard.
Is Your Cybersecurity Strategy Delivering Value? One pivotal question hovers in every professional’s mind: ‘Is my cybersecurity strategy delivering value?’ The answer lies deep within the nuances of Non-Human Identities (NHIs) and Secrets Security Management. What is Non-Human Identities (NHIs) and Secrets Security Management? Simply put, NHIs are machine identities used. These identities are created […]
The post Does Your Cybersecurity Solution Deliver Value? appeared first on Entro.
The post Does Your Cybersecurity Solution Deliver Value? appeared first on Security Boulevard.
Why Are Adaptable NHI Strategies Essential in Today’s Cybersecurity Landscape? Where cyber threats are increasingly complex and pervasive, businesses need robust and flexible strategies to safeguard their data assets. One such strategy is the management of Non-Human Identities (NHIs), a vital but often overlooked aspect of cybersecurity. This approach involves securing machine identities, their access […]
The post Adaptable Strategies for NHI Lifecycle Management? appeared first on Entro.
The post Adaptable Strategies for NHI Lifecycle Management? appeared first on Security Boulevard.
Are You Ready to Embrace the Latest Secrets Security Trends? Isn’t it fascinating to consider how cybersecurity has evolved over the past few years? It’s become essential to focus on securing machine identities and secrets. This is where Non-Human Identities (NHIs) and Secrets Security Management comes into play. But what makes this approach a key […]
The post Excited About New Trends in Secrets Security? appeared first on Entro.
The post Excited About New Trends in Secrets Security? appeared first on Security Boulevard.
Are Your Machine Identities Trapped in a Security Blindspot? A critical question persists: How secure are your Non-Human Identities (NHIs) across the cloud? While businesses invest heavily in human-centric cybersecurity solutions, they often overlook the vulnerabilities associated with NHIs – the machine identities such as servers, service accounts, applications, and bots that are integral to […]
The post How Secure Are Your NHIs Across the Cloud? appeared first on Entro.
The post How Secure Are Your NHIs Across the Cloud? appeared first on Security Boulevard.
Authors/Presenters: Daemon Tamer
Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.
The post BSidesLV24 – Keynotes – Day One: Opening Remarks appeared first on Security Boulevard.
The recent inadvertent exposure of classified U.S. military plans by top defense and intelligence leaders serves as a stark reminder that even the most capable cybersecurity tools and well-defined policies can be rendered meaningless if ignored or misused.
In this case, senior leaders relied on the Signal messaging app to communicate sensitive data but unintentionally exposed critical information to unauthorized parties. The leaked details — time-sensitive plans for a military operation — could have not only placed personnel in greater danger but also undermined the mission by alerting adversaries to an imminent attack.
While Signal is a widely respected, consumer-grade, end-to-end encrypted communication tool, it does not provide the same level of security as classified government systems. National security organizations typically utilize Sensitive Compartmented Information Facilities (SCIFs) to safeguard classified data from leaks and eavesdropping. However, SCIFs and other highly-secure methods are not as convenient as less secure alternatives — such as personal smartphones.
In this instance, Signal’s encryption was not the issue; rather, the exposure occurred when an unauthorized individual was mistakenly added to the chat. This human error resulted in sensitive information being disclosed to a reporter.
Lessons LearnedThis incident highlights critical cybersecurity challenges that extend beyond the military and apply to organizations everywhere:
1. Human behavior can undermine even the most robust security technologies.
2. Convenience often conflicts with secure communication practices.
3. Untrained personnel — or those who disregard security protocols — pose a persistent risk.
4. Even with clear policies and secure tools, some individuals will attempt to bypass compliance.
5. When senior leaders ignore security policies, they set a dangerous precedent for the entire organization.
Best Practices for OrganizationsTo mitigate these risks, organizations should adopt the following best practices:
1. Educate leaders on security risks, policies, and consequences, empowering them to lead by example.
2. Ensure policies align with the organization’s evolving risk tolerance.
3. Reduce compliance friction by making secure behaviors as convenient as possible.
4. Recognize that even the strongest tools can be compromised by user mistakes.
5. Anticipate that adversaries will exploit behavioral, process, and technical vulnerabilities — never underestimate their persistence to exploit an opportunity.
Cybersecurity is only as strong as the people who enforce and follow it. Ignoring best practices or prioritizing convenience over security will inevitably lead to information exposures. Organizations must instill a culture of cybersecurity vigilance, starting at the top, to ensure sensitive information remains protected.
The post Critical Cybersecurity Lessons from the Recent Exposure of U.S. Military Plans appeared first on Security Boulevard.
Gen Z, or individuals born between 1997 and 2012, have certain types of lifestyles, upbringings and character traits that make them ideal for social engineering exploitation.
The post Gen Z’s Rising Susceptibility to Social Engineering Attacks appeared first on Security Boulevard.
This is a news item roundup of privacy or privacy-related news items for 23 MAR 2025 - 29 MAR 2025. Information and summaries provided here are as-is for warranty purposes.
Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.
Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.
You can get immediate notification of when this series is published (every Monday) by subscribing to the RSS feed or signing up for the newsletterTABLE OF CONTENTS
Using a private search engine is a good way to begin improving your privacy. Private search engines generally avoid connecting users to their searches.
Surveillance Tech in the NewsThis section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.
Madison Square Garden’s surveillance system banned this fan over his T-shirt design
The Verge
This pretty much boils down to a company leveraging data aggregation (whether first-party or third-party, but likely both) to ban a guy for life from its venues. In other words, based on data they had on this individual, they determined they do not want him on its properties - even though he himself had never "did anything" on their properties.
Privacy Tools and ServicesPrimarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com
Privacy Tools“MyTerms” wants to become the new way we dictate our privacy on the web
ArsTechnica
"MyTerms" (draft standard IEEE P7012) is a proposed standard for machine readable personal privacy terms. Generally speaking, you as the user could preset a "contract" for web properties you visit that inform the website which information you will and will not offer for access to content/services. The website will presumable being able to 1) work with that contract, 2) modify (or serve up and alternate version) of itself to meet the user terms, and/or 3) tell you it can't meet the terms of the contract.
This is a large departure from things like Do Not Track (DNT) - DNT is a request sent via HTTP header that the website does not have to follow or even acknowledge. MyTerms is designed to be a demand versus a request.
Privacy Without Compromise: Proton VPN is Now Built Into Vivaldi
Vivaldi
Vivaldi integrates ProtonVPN natively into its desktop version of its browser.
A smarter VPN experience: Introducing the Mozilla VPN extension for Windows
Mozilla
Mozilla releases a VPN extension for its VPN service that supposedly lets users choose which websites to enable/disable VPN or choose a different VPN server location. As of writing this extension is for Firefox (or Gecko-based) installations on Windows.
Organic Maps update improves user navigation experience
AlternativeTo
Organic Maps, an alternative to Apple Maps and Google Maps, has introduced split screen mode, enhanced routing algorithms for cyclists, individual track sharing, and flexible route planning.
Messaging editing, deletion and saving now available
Deltachat blog
Deltachat has rolled out the ability for users to:
Pale Moon browser now accessible via Microsoft Store
AlternativeTo
The Pale Moon browser is now available on the Microsoft Store. The browser also recently released version 33.6.1, which focuses on security and bug fixes.
Privacy Servicesente blog
Ente has released version 1.0 of its photos app.
Proton Drive and Docs now support collaboration with users without Proton accounts
Proton
Proton users can now collaborate on documents with anyone -- including those without Proton accounts.
Successful security assessment of our Android app
Mullvad
Mullvad's Android app has successfully passed the Mobile Application Security Assessment (MASA), conducted by NCC Group.
Multihop now available on Android
Mullvad
Mullvad has introduced its server multihop feature to its Android client.
DAITA version 2 now available on all platforms
Mullvad
Mullvad has rolled out version of their "Defense Against AI-guided Traffic Analysis" (DAITA) model. Version 2 reduces traffic overhead and introduces dynamic configurations varying VPN tunnel characteristics.
Vulnerabilities and MalwarePrimarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.
This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.
VulnerabilitiesGoogle Chrome Zero-day Vulnerability Exploited in the Wild (CVE-2025-2783)
Qualys
Researchers at Qualys have discovered an actively exploited zero-day in Chromium. Tracked as CVE-2025-2783, this vulnerability, when exploited, could allow attackers to bypass Chromium's sandbox. Google has addressed this vulnerability in version 134.0.6998.177/.178 for Windows.
This vulnerability is not just limited to Chrome - it affects all Chromium-based browsers. Users running a Chromium fork (which includes popular browsers such as Brave, Vivaldi, among others.)
Mozilla patches Firefox bug ‘exploited in the wild,’ similar to bug attacking Chrome
TechCrunch
Firefox version 136.0.4 fixes a vulnerability, tracked as CVE-2025-2857, that when exploited could lead to a sandbox escape. This vulnerability was exploited in the wild and only affects Firefox on Windows.
Note: This vulnerability is similar to a sandbox escape (CVE-2025-2783) for Chrome.
New Ubuntu Linux security bypasses require manual mitigations
Bleeping Computer
Three security bypass vulnerabilities have been discovered in Ubuntu's unprivileged user namespace restrictions. A local unprivileged user can create user namespaces with full administrative privileges. The local attacker could then exploit vulnerabilities in various kernel components.
MalwareMicrosoft Trusted Signing service abused to code-sign malware
Bleeping Computer
Threat actors are abusing the Microsoft cloud service Trusted Signing...
The post Privacy Roundup: Week 13 of Year 2025 appeared first on Security Boulevard.
The question is no longer whether AI-driven scams will target your business, but how prepared you are to counter them.
The post Online Scams in the Age of AI appeared first on Security Boulevard.
IntroductionHijackLoader (also known as IDAT Loader and GHOSTPULSE) is a malware loader initially discovered in 2023. The loader is not only capable of delivering second-stage payloads, but also offers a variety of modules to expand the malware’s capabilities. The modules are mainly used for configuration information and to evade security software, as well as inject and execute code. Recently, Zscaler ThreatLabz uncovered new HijackLoader modules with additional evasion techniques. In this blog, we analyze these modules that implement features including call stack spoofing to mask the origin of function calls from endpoint detection, virtual machine detection to identify analysis environments, and another module that establishes persistence via scheduled tasks.Key TakeawaysHijackLoader is malware downloader dating back to 2023 that has received continuous updates via new modules.HijackLoader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls).HijackLoader added a new module to perform anti-VM checks to detect malware analysis environments and sandboxes.Another new module is designed to establish persistence via scheduled tasks.Technical AnalysisIn the following sections, we examine HijackLoader’s new modules and changes in evasion tactics. The module names added since our last analysis are the following: ANTIVM, MUTEX, CUSTOMINJECT, CUSTOMINJECTPATH, modTask, modTask64, PERSDATA, and SM.First stageHijackLoader’s first stage has undergone two changes. The first change involves the blocklist processes check, where a new process name, avastsvc.exe, was added to the list. If any of the processes in the table below are running, HijackLoader delays execution by 5 seconds. SDBM Hash ValueProcess NameDescription5C7024B2avgsvc.exeThe avgsvc.exe process is a component of AVG Internet Security.6CEA4537avastsvc.exeThe avastsvc.exe process is a component of Avast Antivirus.Table 1: Processes blocklisted by HijackLoader.The second change pertains to the decryption of modules. While most HijackLoader samples still use IDAT headers in a PNG file to store encrypted modules, a few samples are embedding them in the PNG’s pixel structure.Second stage (ti module)As mentioned in our previous blog, HijackLoader uses the Heaven's Gate technique to execute x64 direct syscalls. We have now observed that call stack spoofing has been added to the list of evasion tactics used by HijackLoader. This technique uses a chain of EBP pointers to traverse the stack and conceal the presence of a malicious call in the stack by replacing actual stack frames with fabricated ones.The ti module only uses call stack spoofing for the following native system APIs:ZwCreateSectionZwMapViewOfSectionZwUnmapViewOfSectionZwProtectVirtualMemoryZwReadVirtualMemoyZwWriteVirtualMemoryZwWriteFileZwResumeThreadZwGetContextThreadZwSetContextThreadZwRollbackTransaction ZwClose ZwTerminateProcess HijackLoader API callsHijackLoader collects the API hash, system call number, function name, and function address of all API names that start with Zw in ntdll.dll. This information is stored as an array of elements, with each element being a structure of size 16, which we will refer to as a DIRECTSYSCALL_STRUCT, as shown below.struct DIRECTSYSCALL_STRUCT {
uint32_t APIHash; // CRC32 hash of the API function name
uint32_t ssn; // System service number (SSN)
char *APIName; // API function name
void *APIFunctionAddress; // API function address
};When HijackLoader calls a Windows API function, the malware first locates the corresponding structure (DIRECTSYSCALL_STRUCT) for the specified API. HijackLoader then invokes the Windows API function either by directly calling its address (if not running under WOW64) or by utilizing a combination of call stack spoofing, Heaven's Gate, and direct syscalls (if running under WOW64).Call stack spoofingCall stack spoofing is used to mask the origin of function calls such as API and system calls. The figure below shows a high-level view of how HijackLoader leverages call stack spoofing:Figure 1: Diagram showing how HijackLoader uses call stack spoofing to mask the origin of function calls. HijackLoader uses the base pointer register (EBP) to navigate the stack by following the chain of EBP pointers. The malware retrieves the return address pointer (EBP+4) from the stack frames. If the return address is not located in the text section of NTDLL or kernelbase, HijackLoader collects both the return address pointer and the return address of the stack frame. The return address pointer is then patched with a random address from the text section of a legitimate system DLL. This activity is repeated until the stack limit is reached or when three adjacent stack frames have the return address in the text section of NTDLL or kernelbase. The process is illustrated in the diagram below:Figure 2: Diagram depicting how HijackLoader traverses the stack to retrieve and patch the return addresses to spoof stack frames.The name of this legitimate system DLL is specified in the HijackLoader SM module. After this, HijackLoader employs the Heaven’s Gate technique, which allows it to switch from executing 32-bit (x86) code to executing 64-bit (x64) code. Once in 64-bit mode, HijackLoader performs the direct syscall. HijackLoader uses the syscall number (ssn) and the necessary parameters for the native system service API to execute the direct syscall. Following the syscall, HijackLoader transitions back to x86 and patches the return address pointers with the actual return addresses.Previously, HijackLoader utilized direct syscalls for process injection and to remap the .text section of the x64 ntdll.dll in memory with the .text section of the x64 ntdll.dll from disk. In addition to remapping ntdll.dll, HijackLoader now also remaps the .text section of the x64 wow64cpu.dll from disk to memory to remove user-mode hooks.Other than the ti module, the modules modCreateProcess, modUAC, and modTask also use call stack spoofing. However, these modules do not use Heaven's Gate or make direct syscalls, but instead invoke Windows API functions directly.The figure below shows the call stack for a call to CreateProcessW after the return addresses have been patched by the modCreateProcess module. In the call stack, the return addresses outside of the text section of NTDLL and kernelbase are patched with addresses from the text section of a legitimate system DLL (shdocvw.dll) until three adjacent stack frames have the return address in the text section of NTDLL or kernelbase.Figure 3: Example of HijackLoader spoofing the call stack with the fake frames enclosed in a red square.Recent HijackLoader modulesThe table below lists information about the more recent HijackLoader modules.CRC32Module NameDescription0x4dad7707ANTIVMContains the configurations HijackLoader uses for anti-VM checks (explained in detail in the following section).0x1999709fMUTEXContains a mutex name. If a mutex with this name exists, HijackLoader will exit.0x6703f815CUSTOMINJECTContains a legitimate executable file which is used for injecting code into its process memory. The process is created in a custom path specified by the CUSTOMINJECTPATH module.0x192a4446CUSTOMINJECTPATHContains a file path used to create the legitimate file in the CUSTOMINJECT module. 0x3115355emodTaskCreates a scheduled task for persistence (explained in detail in the next section).0x9bfaf2d3modTask64A 64-bit version of the modTask module.0xa2e0ab5dPERSDATAContains the configuration used by the modTask module to create scheduled tasks.0xd8222145SMContains the name of the system DLL used in call stack spoofing to patch the return addresses. TinycallProxy module is also copied to this system DLL.0x455cbbc3TinycallProxyActs as a proxy to execute API calls. The call to the TinycallProxy module will have the address of the API function, number of parameters for the API call, and parameters for the API call as its arguments.0x5515dceaTinycallProxy64This module is a 64-bit version of the TinycallProxy module.Table 2: Description of more recent HijackLoader modules.Virtual machine detection moduleThe virtual machine detection module ANTIVM contains a configuration used by HijackLoader to identify virtual machines and analysis environments. This configuration is stored in a structure which we will refer to as the ANTIVM_STRUCT, as shown below.struct ANTIVM_STRUCT {
uint32_t antiVMType;
uint32_t timeThreshold;
uint32_t minPhysicalMemory;
uint32_t minProcessorCount;
uint32_t antiVMType2;
wchar_t username[20]; // Hardcoded to "george" (may change between samples)
byte PhysicalMemory;
byte ProcessorCount;
};The first member, antiVMType determines the type of anti-VM check to be performed. These checks employ common anti-VM techniques. The antiVMType can include multiple values combined using bitwise OR operations. The values supported are listed in the table below.ValueCheck Performed0x1Calculates the average time taken to execute the CPUID instruction using the RDTSC instruction and compares it against the timeThreshold member of the ANTIVM_STRUCT. If the measured time equals or exceeds the timeThreshold, HijackLoader exits.0x4Calls the CPUID instruction with EAX set to 1 and checks if the 31st bit of the ECX register (the hypervisor present bit) is set. If the bit is set, HijackLoader terminates.0x8Retrieves the maximum input value for hypervisor CPUID information by calling the CPUID instruction with EAX set to 0x40000000. If this value is greater than or equal to 0x40000000, HijackLoader exits. For instance, on Microsoft hypervisors, this value will be at least 0x40000005.0x10Retrieves the total physical memory of the system in gigabytes and compares it to the minPhysicalMemory member of the ANTIVM_STRUCT. If the total physical memory is less than or equal to minPhysicalMemory, HijackLoader exits.0x20Retrieves the number of processors on the system and compares it to the minProcessorCount member of the ANTIVM_STRUCT. If the processor count is less than or equal to minProcessorCount, HijackLoader exits.0x40Encompasses multiple checks, determined by the antiVMType2 member of the ANTIVM_STRUCT. The supported checks are:0x1 - Verifies if the computer name consists only of numbers. 0x2 - Verifies if the username matches the username member of the ANTIVM_STRUCT. 0x4 - Verifies if HijackLoader is executed from the Desktop folder or any of its subfolders. ANALYST NOTE: These three checks appear to be in development, as HijackLoader does not exit even if the conditions are met. Additionally, irrespective of the antiVMType2 value, HijackLoader compares the system's total physical memory in gigabytes with the PhysicalMemory member of the ANTIVM_STRUCT and the number of processors with the ProcessorCount member of the ANTIVM_STRUCT. If both of these checks are equal (which may be a specific configuration for a malware sandbox), HijackLoader exits.Table 3: Description of values supported by the HijackLoader virtual machine detection module.Persistence moduleBefore transferring control to the modTask persistence module, the ti module copies itself to a new address and the ti module copy is XOR’ed with the performance counter value obtained by calling the QueryPerformanceCounter API. The new address of the XOR’ed ti module and the XOR key are stored for restoration purposes.When control is transferred to the modTask module, HijackLoader begins by overwriting the entire plaintext ti module with zeros. HijackLoader then performs call stack spoofing as previously described. Next, the modTask module copies the TinycallProxy module into the text section of the system DLL specified in the SM module and uses this copied TinycallProxy module to call APIs. Then, HijackLoader creates a scheduled task for persistence using the configuration in the PERSDATA configuration module. The configuration is stored in a structure which we will refer to as the PERSDATA_STRUCT, with the definition shown below.struct PERSDATA_STRUCT {
uint32_t triggerTaskOnLogon; // If set, the task will be triggered when the
// user logs in, otherwise the task will execute
// at regular intervals.
uint32_t TaskFlag; // Flag used in ITask::SetFlags method
uin32_t MinutesInterval; // Task execution interval in minutes
uin32_t wRandMinutesInterval;// Unused by the TASK_TRIGGER structure
wchar_t taskName[50]; // Name of the task
};More information about HijackLoader’s modules are available in our previous blog.ConclusionHijackLoader is a highly modular malware loader that shows no signs of slowing down. HijackLoader's new modules demonstrate the malware’s evolving evasion tactics that increasingly focus on enhancing its anti-detection capabilities. Thus, we anticipate that HijackLoader will continue to introduce new modules that are further designed to complicate analysis and detection.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to HijackLoader at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for HijackLoader.Figure 4: Zscaler Cloud Sandbox report for HijackLoader.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to HijackLoader at various levels with the following threat names:Win64.Downloader.HijackLoaderWin32.Downloader.HijackLoaderIndicators Of Compromise (IOCs) SHA256 HashDescription67173036149718a3a06847d20d0f30616e5b9d6796e050dc520259a15588ddc8HijackLoader sample7b399ccced1048d15198aeb67d6bcc49ebd88c7ac484811a7000b9e79a5aac90HijackLoader sample6cfbffa4e0327969aeb955921333f5a635a9b2103e05989b80bb690f376e4404HijackLoader sampleb2b5c6a6a3e050dfe2aa13db6f9b02ce578dd224926f270ea0a433195ac1ba26HijackLoader sampled75d545269b0393bed9fd28340ff42cc51d5a1bd7d5d43694dac28f6ca61df03HijackLoader sample9218c8607323d7667f69ef26faea57cb861f9b3888a457ed9093c1b65eefa42bHijackLoader sampleb8f1341ade1fe50c4936b8f7bec7a8e47ad753465f716a1ec2f8220a18bf34a5HijackLoader sample35dca05612aede9c1db55a868b1cd314b5d05bac00bed577fd0d437103c2a4a4HijackLoader sample08f1ca6071cb206f53c2e81568b73d4bee7ac6a019d93d3ceaac7637b6dc891aHijackLoader sampleb480fec95b84980e88e0e5958873b7194029ffbaa78369cfe5c0e4d64849fb32HijackLoader sample273bc7700e9153f7063b689f57ece3090c79e6b1038a9bc7865f61452c7377b0HijackLoader encrypted modules.28eb6ce005d34e22f6805a132e7080b96f236d627078bcc1bedee1a3a209bd1fHijackLoader encrypted modules.2be2c90c725c2a03d2bd68e39d52c0e16e7678d1d42fa7fdf75797806e0eb036HijackLoader encrypted modules.2e5cf739a84c726dfe3cfa3ddf47893357713240e77adf929ef30d87b1ccb52eHijackLoader encrypted modules.307c1756c21ee8f4f866ff8327823b55d597fecca379f98bcd45581e2e33adeeHijackLoader encrypted modules.3142e4b40d27f63bcf7c787e96811e9a801224ce368624d75e88fa6408af896eHijackLoader encrypted modules.3500426eb9bb67fa91d4848cabeab2fe8e8a614768ed1e389e1f42a2428f64a8HijackLoader encrypted modules.3aa32545a2f53138d5f816d002b00d45c581cd56b1cfa66a2f72a03d604f1346HijackLoader encrypted modules.3ca78fbfbb46722af5f8acac511e77ec0382439f84c78c5710496fe1c377893dHijackLoader encrypted modules.MITRE ATT&CK TechniquesIDTechnique NameDescriptionT1574.002Hijack Execution Flow: DLL Side-LoadingHijackLoader samples mostly use DLL sideloading for execution.T1027.007Dynamic API ResolutionHijackLoader uses the SDBM hashing algorithm and CRC32 hashing algorithm for API resolution.T1027.003SteganographyHijackLoader uses steganography to hide its modules in a PNG image.T1140Deobfuscate/Decode Files or InformationHijackLoader uses XOR to decode its modules and final payload.T1057Process DiscoveryHijackLoader checks for process names and compares them against antivirus security software.T1620Reflective Code LoadingThe ti module is reflectively loaded by stomping it to a legitimate DLL using LoadLibrary and VirtualProtect.T1547.001Registry Run Keys / Startup FolderHijackLoader creates a shortcut file (LNK) in the Windows Startup folder as one of its methods for persistence.T1197BITS JobsHijackLoader uses BITS Jobs to achieve persistence.T1053Scheduled Task/JobHijackLoader’s modTask module uses Windows Task Scheduler for persistence.T1548.001Abuse Elevation Control MechanismHijackLoader’s modUAC modules use CMSTPLUA COM interface for UAC bypass.T1055Process InjectionHijackLoader uses process injection techniques to inject its final payload.T1497Virtualization/Sandbox EvasionHijackLoader’s ANTIVM modules contain multiple virtualization evasion techniques.T1562.001Impair Defenses: Disable or Modify ToolsHijackLoader’s WDDATA module contains the PowerShell (PS) command for Windows Defender exclusion.
The post Analyzing New HijackLoader Evasion Tactics appeared first on Security Boulevard.
