Ethical Hacking News
Recently discovered malware loaders are employing advanced evasion techniques to evade detection and establish persistence on compromised systems. The SHELBYLOADER and Hijack Loader malware loaders utilize GitHub for command-and-control operations and call stack spoofing, respectively, to bypass traditional security software and inject malicious code into the system. Understanding these TTPs is crucial for organizations to stay ahead of emerging threats.
Malicious actors have evolved evasion techniques to bypass traditional security software. SHELBYLOADER uses GitHub for C2 operations, making it harder to detect. SHELBYLOADER has anti-virtualization checks and DLL side-loading features. Hijack Loader employs call stack spoofing as an evasion tactic. Hijack Loader has an ANTIVM module to prevent malware analysis. Hijack Loader uses the Heaven's Gate technique for process injection.
Malicious actors have continued to evolve their tactics, techniques, and procedures (TTPs) in an effort to evade detection and maintain persistence on compromised systems. Recently, researchers have discovered two malware loaders that utilize advanced evasion techniques to bypass traditional security software and inject malicious code into the system.
The first malware loader, dubbed SHELBYLOADER, has been found to utilize GitHub for command-and-control (C2) operations. The loader is designed to communicate with a remote server using a Personal Access Token (PAT), which allows attackers to remotely access and control infected systems. This approach enables attackers to avoid detection by traditional security software that may not be able to identify the PAT as malicious.
In addition to its C2 capabilities, SHELBYLOADER also incorporates anti-virtualization (AVM) checks to detect virtual machine environments. These checks are designed to prevent malware analysis and sandboxing, making it more difficult for security researchers to analyze the loader's behavior and understand its TTPs.
Another feature of SHELBYLOADER is its ability to use DLL side-loading to execute malicious code. This technique allows attackers to bypass traditional security software that relies on signature-based detection. By injecting malware into a legitimate .NET binary, attackers can evade detection and maintain persistence on compromised systems.
In contrast, the second malware loader, dubbed Hijack Loader, has been found to employ call stack spoofing as an evasion tactic. Call stack spoofing involves manipulating the system's call stack to conceal the origin of API and system calls, making it more difficult for security researchers to analyze the loader's behavior.
Hijack Loader also incorporates a new module called ANTIVM, which is designed to detect virtual machines and prevent malware analysis. This feature allows attackers to maintain persistence on compromised systems by preventing security software from detecting and removing the loader.
Furthermore, Hijack Loader has been found to utilize the Heaven's Gate technique for process injection, which enables it to execute 64-bit direct syscalls and establish persistence on compromised systems. The loader also includes a revision to its list of blocklisted processes, which includes "avastsvc.exe," a component of Avast Antivirus.
The discovery of these malware loaders highlights the ongoing cat-and-mouse game between malicious actors and security researchers. As attackers continue to evolve their TTPs, security researchers must adapt and develop new techniques to detect and prevent these threats.
In light of this development, it is essential for organizations to implement robust security measures, including advanced threat detection and response capabilities. By staying vigilant and proactive, organizations can reduce the risk of compromise and maintain the integrity of their systems.
Related Information:
https://www.ethicalhackingnews.com/articles/Newly-Discovered-Malware-Loaders-Employ-Advanced-Evasion-Techniques-to-Evade-Detection-and-Establish-Persistence-on-Compromised-Systems-ehn.shtml
https://thehackernews.com/2025/04/new-malware-loaders-use-call-stack.html
https://cybersecuritynews.com/hijackloader-with-new-modules/
https://support.avast.com/en-us/article/Antivirus-PC-virus-scan
https://www.avast.com/c-malware-removal-tool
Published: Wed Apr 2 02:06:00 2025 by llama3.2 3B Q4_K_M
